Login
For nearly a dozen years, residents of South Carolina have been kept in the dark by state and federal investigators over who was responsible for hacking into the stateβs revenue department in 2012 and stealing tax and bank account information for 3.6 million people. The answer may no longer be a mystery: KrebsOnSecurity found compelling clues suggesting the intrusion was carried out by the same Russian hacking crew that stole of millions of payment card records from big box retailers like Home Depot and Target in the years that followed.
Questions about who stole tax and financial data on roughly three quarters of all South Carolina residents came to the fore last week at the confirmation hearing of Mark Keel, who was appointed in 2011 by Gov. Nikki Haley to head the stateβs law enforcement division. If approved, this would be Keelβs third six-year term in that role.
The Associated Press reports that Keel was careful not to release many details about the breach at his hearing, telling lawmakers he knows who did it but that he wasnβt ready to name anyone.
βI think the fact that we didnβt come up with a whole lot of peopleβs information that got breached is a testament to the work that people have done on this case,β Keel asserted.
A ten-year retrospective published in 2022 by The Post and Courier in Columbia, S.C. said investigators determined the breach began on Aug. 13, 2012, after a state IT contractor clicked a malicious link in an email. State officials said they found out about the hack from federal law enforcement on October 10, 2012.
KrebsOnSecurity examined posts across dozens of cybercrime forums around that time, and found only one instance of someone selling large volumes of tax data in the year surrounding the breach date.
On Oct. 7, 2012 β three days before South Carolina officials say they first learned of the intrusion β a notorious cybercriminal who goes by the handle βRescatorβ advertised the sale of βa database of the tax department of one of the states.β
βBank account information, SSN and all other information,β Rescatorβs sales thread on the Russian-language crime forum Embargo read. βIf you purchase the entire database, I will give you access to it.β
A week later, Rescator posted a similar offer on the exclusive Russian forum Mazafaka, saying he was selling information from a U.S. state tax database, without naming the state. Rescator said the data exposed included Social Security Number (SSN), employer, name, address, phone, taxable income, tax refund amount, and bank account number.
βThere is a lot of information, I am ready to sell the entire database, with access to the database, and in parts,β Rescator told Mazafaka members. βThere is also information on corporate taxpayers.β
On Oct. 26, 2012, the state announced the breach publicly. State officials said they were working with investigators from the U.S. Secret Service and digital forensics experts from Mandiant, which produced an incident report (PDF) that was later published by South Carolina Dept. of Revenue. KrebsOnSecurity sought comment from the Secret Service, South Carolina prosecutors, and Mr. Keelβs office. This story will be updated if any of them respond. Update: The Secret Service declined to comment.
On Nov. 18, 2012, Rescator told fellow denizens of the forum Verified he was selling a database of 65,000 records with bank account information from several smaller, regional financial institutions. Rescatorβs sales thread on Verified listed more than a dozen database fields, including account number, name, address, phone, tax ID, date of birth, employer and occupation.
Asked to provide more context about the database for sale, Rescator told forum members the database included financial records related to tax filings of a U.S. state. Rescator added that there was a second database of around 80,000 corporations that included social security numbers, names and addresses, but no financial information.
The AP says South Carolina paid $12 million to Experian for identity theft protection and credit monitoring for its residents after the breach.
βAt the time, it was one of the largest breaches in U.S. history but has since been surpassed greatly by hacks to Equifax, Yahoo, Home Depot, Target and PlayStation,β the APβs Jeffrey Collins wrote.
As it happens, Rescatorβs criminal hacking crew was directly responsible for the 2013 breach at Target and the 2014 hack of Home Depot. The Target intrusion saw Rescatorβs cybercrime shops selling roughly 40 million stolen payment cards, and 56 million cards from Home Depot customers.
Who is Rescator? On Dec. 14, 2023, KrebsOnSecurity published the results of a 10-year investigation into the identity of Rescator, a.k.a. Mikhail Borisovich Shefel, a 36-year-old who lives in Moscow and who recently changed his last name to Lenin.
Mr. Keelβs assertion that somehow the efforts of South Carolina officials following the breach may have lessened its impact on citizens seems unlikely. The stolen tax and financial data appears to have been sold openly on cybercrime forums by one of the Russian undergroundβs most aggressive and successful hacking crews.
While there are no indications from reviewing forum posts that Rescator ever sold the data, his sales threads came at a time when the incidence of tax refund fraud was skyrocketing.
Tax-related identity theft occurs when someone uses a stolen identity and SSN to file a tax return in that personβs name claiming a fraudulent refund. Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually owed a refund from the U.S. Internal Revenue Service (IRS).
According toΒ a 2013 reportΒ from the Treasury Inspector Generalβs office, the IRS issued nearly $4 billion in bogus tax refunds in 2012, and more than $5.8 billion in 2013. The money largely was sent to people who stole SSNs and other information on U.S. citizens, and then filed fraudulent tax returns on those individuals claiming a large refund but at a different address.
It remains unclear why Shefel has never been officially implicated in the breaches at Target, Home Depot, or in South Carolina. It may be that Shefel has been indicted, and that those indictments remain sealed for some reason. Perhaps prosecutors were hoping Shefel would decide to leave Russia, at which point it would be easier to apprehend him if he believed no one was looking for him.
But all signs are that Shefel is deeply rooted in Russia, and has no plans to leave. In January 2024, authorities in Australia, the United States and the U.K. levied financial sanctions against 33-year-old Russian man Aleksandr Ermakov for allegedly stealing data on 10 million customers of the Australian health insurance giant Medibank.
A week after those sanctions were put in place, KrebsOnSecurity published a deep dive on Ermakov, which found that he co-ran a Moscow-based IT security consulting business along with Mikhail Shefel called Shtazi-IT.
A Google-translated version of Shtazi dot ru. Image: Archive.org.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said today it is investigating a breach at business intelligence company Sisense, whose products are designed to allow companies to view the status of multiple third-party online services in a single dashboard. CISA urged all Sisense customers to reset any credentials and secrets that may have been shared with the company, which is the same advice Sisense gave to its customers Wednesday evening.
New York City based Sisense has more than a thousand customers across a range of industry verticals, including financial services, telecommunications, healthcare and higher education. On April 10, Sisense Chief Information Security Officer Sangram Dash told customers the company had been made aware of reports that βcertain Sisense company information may have been made available on what we have been advised is a restricted access server (not generally available on the internet.)β
βWe are taking this matter seriously and promptly commenced an investigation,β Dash continued. βWe engaged industry-leading experts to assist us with the investigation. This matter has not resulted in an interruption to our business operations. Out of an abundance of caution, and while we continue to investigate, we urge you to promptly rotate any credentials that you use within your Sisense application.β
In its alert, CISA said it was working with private industry partners to respond to a recent compromise discovered by independent security researchers involving Sisense.
βCISA is taking an active role in collaborating with private industry partners to respond to this incident, especially as it relates to impacted critical infrastructure sector organizations,β the sparse alert reads. βWe will provide updates as more information becomes available.β
Sisense declined to comment when asked about the veracity of information shared by two trusted sources with close knowledge of the breach investigation. Those sources said the breach appears to have started when the attackers somehow gained access to the companyβs Gitlab code repository, and in that repository was a token or credential that gave the bad guys access to Sisenseβs Amazon S3 buckets in the cloud.
Customers can use Gitlab either as a solution that is hosted in the cloud at Gitlab.com, or as a self-managed deployment. KrebsOnSecurity understands that Sisense was using the self-managed version of Gitlab.
Both sources said the attackers used the S3 access to copy and exfiltrate several terabytes worth of Sisense customer data, which apparently included millions of access tokens, email account passwords, and even SSL certificates.
The incident raises questions about whether Sisense was doing enough to protect sensitive data entrusted to it by customers, such as whether the massive volume of stolen customer data was ever encrypted while at rest in these Amazon cloud servers.
It is clear, however, that unknown attackers now have all of the credentials that Sisense customers used in their dashboards.
The breach also makes clear that Sisense is somewhat limited in the clean-up actions that it can take on behalf of customers, because access tokens are essentially text files on your computer that allow you to stay logged in for extended periods of time β sometimes indefinitely. And depending on which service weβre talking about, it may be possible for attackers to re-use those access tokens to authenticate as the victim without ever having to present valid credentials.
Beyond that, it is largely up to Sisense customers to decide if and when they change passwords to the various third-party services that theyβve previously entrusted to Sisense.
Earlier today, a public relations firm working with Sisense reached out to learn if KrebsOnSecurity planned to publish any further updates on their breach (KrebsOnSecurity posted a screenshot of the CISOβs customer email to both LinkedIn and Mastodon on Wednesday evening). The PR rep said Sisense wanted to make sure they had an opportunity to comment before the story ran.
But when confronted with the details shared by my sources, Sisense apparently changed its mind.
βAfter consulting with Sisense, they have told me that they donβt wish to respond,β the PR rep said in an emailed reply.
Update, 6:49 p.m., ET: Added clarification that Sisense is using a self-hosted version of Gitlab, not the cloud version managed by Gitlab.com.
Also, Sisenseβs CISO Dash just sent an update to customers directly. The latest advice from the company is far more detailed, and involves resetting a potentially large number of access tokens across multiple technologies, including Microsoft Active Directory credentials, GIT credentials, web access tokens, and any single sign-on (SSO) secrets or tokens.
The full message from Dash to customers is below:
βGood Afternoon,
We are following up on our prior communication of April 10, 2024, regarding reports that certain Sisense company information may have been made available on a restricted access server. As noted, we are taking this matter seriously and our investigation remains ongoing.
Our customers must reset any keys, tokens, or other credentials in their environment used within the Sisense application.
Specifically, you should:
β Change Your Password: Change all Sisense-related passwords on http://my.sisense.com
β Non-SSO:
β Replace the Secret in the Base Configuration Security section with your GUID/UUID.
β Reset passwords for all users in the Sisense application.
β Logout all users by running GET /api/v1/authentication/logout_all under Admin user.
β Single Sign-On (SSO):
β If you use SSO JWT for the userβs authentication in Sisense, you will need to update sso.shared_secret in Sisense and then use the newly generated value on the side of the SSO handler.
β We strongly recommend rotating the x.509 certificate for your SSO SAML identity provider.
β If you utilize OpenID, itβs imperative to rotate the client secret as well.
β Following these adjustments, update the SSO settings in Sisense with the revised values.
β Logout all users by running GET /api/v1/authentication/logout_all under Admin user.
β Customer Database Credentials: Reset credentials in your database that were used in the Sisense application to ensure continuity of connection between the systems.
β Data Models: Change all usernames and passwords in the database connection string in the data models.
β User Params: If you are using the User Params feature, reset them.
β Active Directory/LDAP: Change the username and user password of users whose authorization is used for AD synchronization.
β HTTP Authentication for GIT: Rotate the credentials in every GIT project.
β B2D Customers: Use the following API PATCH api/v2/b2d-connection in the admin section to update the B2D connection.
β Infusion Apps: Rotate the associated keys.
β Web Access Token: Rotate all tokens.
β Custom Email Server: Rotate associated credentials.
β Custom Code: Reset any secrets that appear in custom code Notebooks.
If you need any assistance, please submit a customer support ticket at https://community.sisense.com/t5/support-portal/bd-p/SupportPortal and mark it as critical. We have a dedicated response team on standby to assist with your requests.
At Sisense, we give paramount importance to security and are committed to our customersβ success. Thank you for your partnership and commitment to our mutual security.
Regards,
Sangram Dash
Chief Information Security Officerβ
Several Apple customers recently reported being targeted in elaborate phishing attacks that involve what appears to be a bug in Appleβs password reset feature. In this scenario, a targetβs Apple devices are forced to display dozens of system-level prompts that prevent the devices from being used until the recipient responds βAllowβ or βDonβt Allowβ to each prompt. Assuming the user manages not to fat-finger the wrong button on the umpteenth password reset request, the scammers will then call the victim while spoofing Apple support in the caller ID, saying the userβs account is under attack and that Apple support needs to βverifyβ a one-time code.
Some of the many notifications Patel says he received from Apple all at once.
Parth Patel is an entrepreneur who is trying to build a startup in the conversational AI space. On March 23, Patel documented on Twitter/X a recent phishing campaign targeting him that involved whatβs known as a βpush bombingβ or βMFA fatigueβ attack, wherein the phishers abuse a feature or weakness of a multi-factor authentication (MFA) system in a way that inundates the targetβs device(s) with alerts to approve a password change or login.
βAll of my devices started blowing up, my watch, laptop and phone,β Patel told KrebsOnSecurity. βIt was like this system notification from Apple to approve [a reset of the account password], but I couldnβt do anything else with my phone. I had to go through and decline like 100-plus notifications.β
Some people confronted with such a deluge may eventually click βAllowβ to the incessant password reset prompts β just so they can use their phone again. Others may inadvertently approve one of these prompts, which will also appear on a userβs Apple watch if they have one.
But the attackers in this campaign had an ace up their sleeves: Patel said after denying all of the password reset prompts from Apple, he received a call on his iPhone that said it was from Apple Support (the number displayed was 1-800-275-2273, Appleβs real customer support line).
βI pick up the phone and Iβm super suspicious,β Patel recalled. βSo I ask them if they can verify some information about me, and after hearing some aggressive typing on his end he gives me all this information about me and itβs totally accurate.β
All of it, that is, except his real name. Patel said when he asked the fake Apple support rep to validate the name they had on file for the Apple account, the caller gave a name that was not his but rather one that Patel has only seen in background reports about him that are for sale at a people-search website called PeopleDataLabs.
Patel said he has worked fairly hard to remove his information from multiple people-search websites, and he found PeopleDataLabs uniquely and consistently listed this inaccurate name as an alias on his consumer profile.
βFor some reason, PeopleDataLabs has three profiles that come up when you search for my info, and two of them are mine but one is an elementary school teacher from the midwest,β Patel said. βI asked them to verify my name and they said Anthony.β
Patel said the goal of the voice phishers is to trigger an Apple ID reset code to be sent to the userβs device, which is a text message that includes a one-time password. If the user supplies that one-time code, the attackers can then reset the password on the account and lock the user out. They can also then remotely wipe all of the userβs Apple devices.
Chris is a cryptocurrency hedge fund owner who asked that only his first name be used so as not to paint a bigger target on himself. Chris told KrebsOnSecurity he experienced a remarkably similar phishing attempt in late February.
βThe first alert I got I hit βDonβt Allowβ, but then right after that I got like 30 more notifications in a row,β Chris said. βI figured maybe I sat on my phone weird, or was accidentally pushing some button that was causing these, and so I just denied them all.β
Chris says the attackers persisted hitting his devices with the reset notifications for several days after that, and at one point he received a call on his iPhone that said it was from Apple support.
βI said I would call them back and hung up,β Chris said, demonstrating the proper response to such unbidden solicitations. βWhen I called back to the real Apple, they couldnβt say whether anyone had been in a support call with me just then. They just said Apple states very clearly that it will never initiate outbound calls to customers β unless the customer requests to be contacted.β
Massively freaking out that someone was trying to hijack his digital life, Chris said he changed his passwords and then went to an Apple store and bought a new iPhone. From there, he created a new Apple iCloud account using a brand new email address.
Chris said he then proceeded to get even more system alerts on his new iPhone and iCloud account β all the while still sitting at the local Apple Genius Bar.
Chris told KrebsOnSecurity his Genius Bar tech was mystified about the source of the alerts, but Chris said he suspects that whatever the phishers are abusing to rapidly generate these Apple system alerts requires knowing the phone number on file for the targetβs Apple account. After all, that was the only aspect of Chrisβs new iPhone and iCloud account that hadnβt changed.
βKenβ is a security industry veteran who spoke on condition of anonymity. Ken said he first began receiving these unsolicited system alerts on his Apple devices earlier this year, but that he has not received any phony Apple support calls as others have reported.
βThis recently happened to me in the middle of the night at 12:30 a.m.,β Ken said. βAnd even though I have my Apple watch set to remain quiet during the time Iβm usually sleeping at night, it woke me up with one of these alerts. Thank god I didnβt press βAllow,β which was the first option shown on my watch. I had to scroll watch the wheel to see and press the βDonβt Allowβ button.β
Ken shared this photo he took of an alert on his watch that woke him up at 12:30 a.m. Ken said he had to scroll on the watch face to see the βDonβt Allowβ button.
Ken didnβt know it when all this was happening (and itβs not at all obvious from the Apple prompts), but clicking βAllowβ would not have allowed the attackers to change Kenβs password. Rather, clicking βAllowβ displays a six digit PIN that must be entered on Kenβs device β allowing Ken to change his password. It appears that these rapid password reset prompts are being used to make a subsequent inbound phone call spoofing Apple more believable.
Ken said he contacted the real Apple support and was eventually escalated to a senior Apple engineer. The engineer assured Ken that turning on an Apple Recovery Key for his account would stop the notifications once and for all.
A recovery key is an optional security feature that Apple says βhelps improve the security of your Apple ID account.β It is a randomly generated 28-character code, and when you enable a recovery key it is supposed to disable Appleβs standard account recovery process. The thing is, enabling it is not a simple process, and if you ever lose that code in addition to all of your Apple devices you will be permanently locked out.
Ken said he enabled a recovery key for his account as instructed, but that it hasnβt stopped the unbidden system alerts from appearing on all of his devices every few days.
KrebsOnSecurity tested Kenβs experience, and can confirm that enabling a recovery key does nothing to stop a password reset prompt from being sent to associated Apple devices. Visiting Appleβs βforgot passwordβ page β https://iforgot.apple.com β asks for an email address and for the visitor to solve a CAPTCHA.
After that, the page will display the last two digits of the phone number tied to the Apple account. Filling in the missing digits and hitting submit on that form will send a system alert, whether or not the user has enabled an Apple Recovery Key.
The password reset page at iforgot.apple.com.
What sanely designed authentication system would send dozens of requests for a password change in the span of a few moments, when the first requests havenβt even been acted on by the user? Could this be the result of a bug in Appleβs systems?
Apple has not yet responded to requests for comment.
Throughout 2022, a criminal hacking group known as LAPSUS$ used MFA bombing to great effect in intrusions at Cisco, Microsoft and Uber. In response, Microsoft began enforcing βMFA number matching,β a feature that displays a series of numbers to a user attempting to log in with their credentials. These numbers must then be entered into the account ownerβs Microsoft authenticator app on their mobile device to verify they are logging into the account.
Kishan Bagaria is a hobbyist security researcher and engineer who founded the website texts.com (now owned by Automattic), and heβs convinced Apple has a problem on its end. In August 2019, Bagaria reported to Apple a bug that allowed an exploit he dubbed βAirDoSβ because it could be used to let an attacker infinitely spam all nearby iOS devices with a system-level prompt to share a file via AirDrop β a file-sharing capability built into Apple products.
Apple fixed that bug nearly four months later in December 2019, thanking Bagaria in the associated security bulletin. Bagaria said Appleβs fix was to add stricter rate limiting on AirDrop requests, and he suspects that someone has figured out a way to bypass Appleβs rate limit on how many of these password reset requests can be sent in a given timeframe.
βI think this could be a legit Apple rate limit bug that should be reported,β Bagaria said.
Apple seems requires a phone number to be on file for your account, but after youβve set up the account it doesnβt have to be a mobile phone number. KrebsOnSecurityβs testing shows Apple will accept a VOIP number (like Google Voice). So, changing your account phone number to a VOIP number that isnβt widely known would be one mitigation here.
One caveat with the VOIP number idea: Unless you include a real mobile number, Appleβs iMessage and Facetime applications will be disabled for that device. This might a bonus for those concerned about reducing the overall attack surface of their Apple devices, since zero-click zero-days in these applications have repeatedly been used by spyware purveyors.
Also, it appears Appleβs password reset system will accept and respect email aliases. Adding a β+β character after the username portion of your email address β followed by a notation specific to the site youβre signing up at β lets you create an infinite number of unique email addresses tied to the same account.
For instance, if I were signing up at example.com, I might give my email address as krebsonsecurity+example@gmail.com. Then, I simply go back to my inbox and create a corresponding folder called βExample,β along with a new filter that sends any email addressed to that alias to the Example folder. In this case, however, perhaps a less obvious alias than β+appleβ would be advisable.
Update, March 27, 5:06 p.m. ET:Β Added perspective on Kenβs experience. Also included a What Can You Do? section.
There has been an exponential increase in breaches within enterprises despite the carefully constructed and controlled perimeters that exist around applications and data. Once an attacker can access⦠Read more on Cisco Blogs
Related tags
FreshRSS