The rise of home schooling has seen a spike in hacking attempts against educational institutions, said third-party security researchers Check Point. Its latest paper claims that the USA has seen the biggest increase, with academic sector attacks rising 30 percent from 468 per week to 608 per week. Europe and Asia have both seen a 24 percent and 21 percent increase, respectively, in the number of hacking attacks. 

Check Point says that the tactic of choice is DDoS attacks for both the US and Europe, while Asia has a preference for Remote Code Execution and Information Disclosure. It’s likely that the combination of schools not having a particular focus on security, and a lack of resources, will exacerbate these issues. As usual, the researchers say that institutions should use a combination of proactive measures to reduce the vectors of attack and educate users on best practices. 

It supports multiple authentication protocols including FIDO2, FIDO U2F, smart card (PIV), Yubico OTP, OpenPGP, OATH-TOTP, OATH-HOTP and Challenge-Response — all on a single device. That means it’ll work with most password managers, along with social media platforms, collaboration tools and browsers like Chrome, Firefox and Microsoft Edge.

The main difference with the latest model is that it supports both NFC and USB-C, rather than USB-A. That should work better for people with newer devices, as USB-C is now common on recent Macs, most PCs and Android smartphones. The YubiKey 5C NFC is now available for $55 on Yubico’s website.

In addition to obstruction of justice, prosecutors charged Sullivan with failing to share knowledge of a felony. In total, he faces up to eight years in prison if convicted of both charges. 

“We expect good corporate citizenship,” said US Attorney David L. Anderson. “We expect prompt reporting of criminal conduct. We expect cooperation with our investigations. We will not tolerate corporate cover-ups. We will not tolerate illegal hush-money payments.” 

Bradford Williams, Sullivan’s attorney, told The New York Times there’s “no merit” to the charges. “If not for Mr. Sullivan’s and his team’s efforts, it’s likely that the individuals responsible for this incident never would have been identified at all,” he said. Williams added that Sullivan and his team worked closely with other Uber employees and followed the company’s policies.

Meanwhile, a spokesperson for Uber told The New York Times it continues to cooperate with the Justice Department’s investigation into the 2016 hack. “Our decision in 2017 to disclose the incident was not only the right thing to do, it embodies the principles by which we are running our business today: transparency, integrity, and accountability,” they said.

Sullivan may become the second former Uber employee to end up behind bars. At the start of August, Anthony Levandowski, the engineer at the center of the trade secret legal battle between Waymo and Uber, was sentenced to 18 months in prison. 

If your favorite Reddit community looked like a political billboard on August 7th, you can blame it on hackers. Both Motherboard and ZDNet report that hackers defaced dozens of subreddits with pro-Trump messages, including major subreddits like r/food and r/space as well as numerous communities devoted to sports and TV shows. The affected communities appear to have recovered, but this still meant that millions of users potentially saw the virtual graffiti.

A Reddit spokesperson told Motherboard that the company was investigating, but that the sources appeared to be “compromised moderator accounts.” It locked down those accounts while it was restoring the subreddits. ZDNet noted that an apparently hijacked Twitter account claimed credit for the attack, but that user has since been suspended without providing evidence.

Its systems were reportedly seized by Maze, a group that exfiltrates data before encrypting and locking off systems. Bleeping Computer obtained a partial screenshot of the purported ransom note sent to Canon, and said that Maze confirmed that it had stolen “10 terabytes of data, private databases, etc.” as part of the attack. By combining data theft with ransomware, Maze can attempt to blackmail companies that may have full system backups.

Canon’s image.canon cloud photo storage site was also affected, though apparently not by the same problem. On the site’s home page, Canon says that “some of the photo and video image files saved in the 10GB long-term storage prior to June 16, 2020 9:00 AM (JST) were lost.” It added that “there was no leak of image data” and said that it was able to restore functionality as of August 4th. Maze reportedly confirmed to Bleeping Computer that the photo site wasn’t part of the attack, though of course one can’t take criminals at their word.

The group was created in 2010 and became a hub for thieves hoping to buy goods with fake and stolen payment cards. It was reportedly sophisticated, with members offering automated vending sites, a screening process and even an escrow service to help complete transactions. The Justice Department counted 10,901 registered members by March 2017.

This isn’t a decisive victory for law enforcement. Only a handful of Infraud members are facing punishment, some of them in the US. Others, including co-founder Svyatoslav Bondarenko, are fugitives. The guilty plea won’t necessarily deter other crooks. It’s still an important win, though, and shows how US prosecutors will tackle other large cybercrime outfits — it’s pushing for confessions that help take down as many targets as possible.

Our investigation and cooperation with law enforcement continues, and we remain committed to sharing any updates here. More to come via @TwitterSupport as our investigation continues.

— Twitter Support (@TwitterSupport) July 18, 2020

Late Friday night, Twitter confirmed that its investigation shows attackers exported the data on “up to eight of the accounts involved,” without specifying which ones (in a later tweet, the company indicated that none of the eight were Verified accounts). Of the 130 that it had previously said were targeted, Twitter now says the attackers performed a password reset and were able to access 45 of them, but did not specify why they may not have done so on the the others.

There is a lot speculation about the identity of these 8 accounts. We will only disclose this to the impacted accounts, however to address some of the speculation: none of the eight were Verified accounts.

— Twitter Support (@TwitterSupport) July 18, 2020

Multiple reports, including one on Friday afternoon from the New York Times, have featured accounts from posters on the “OGUsers” gray market forum where high-profile accounts are sometimes traded. By the accounts of their sources, an unknown person going by the name of “Kirk” claimed to be a Twitter employee and offered takeovers on any account, working at times via middle men, and collecting money via the same address advertised in the tweets. According to some of the customers and middlemen from the incident, they apparently believe Kirk access Twitter’s internal Slack channels, and found credentials for accessing its internal admin tools there.

According to Twitter’s own accounting of the incident “The attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections.”

Most of these accounts tweeted some variant of the same message: If someone were to send Bitcoin to the address specified in the tweets during a 30-minute window, the account owner would return double the amount. These outsized claims succeeded in tricking some people into sending over valuable cryptocurrency, but no crypto was ever sent in return. (Obviously.) All of the tweets sent from these high-profile accounts directed victims to the same Bitcoin address.

By this point, Twitter had caught on and was attempting to contain the account breaches. In an effort to prevent more scammy messages being shared, Twitter temporarily removed the ability for verified users to tweet. If the owners of those accounts wanted to communicate on the platform, they either had to create temporary accounts, retweet existing tweets, or both. (Meanwhile, non-verified Twitter users basically had a field day.) Twitter appeared to get the situation under control and restored verified users’ ability to tweet at around 8:30 PM Eastern.

At that time, Twitter confirmed that it had opened an investigation into the hack, and one day later, the FBI confirmed that it was launching an investigation of its own.

How did these accounts get hacked?

At this time, Twitter’s investigation is still ongoing, and there is little in the way of conclusive information. With respect to the hack itself, here’s what the company has confirmed so far:

• Some of its employees were targeted in a social engineering attack because of their access to “internal systems and tools.”

• The hackers were able to “take control” of verified and high-profile Twitter accounts, and published the scam tweets “on their behalf”

• In the wake of the hack, Twitter has taken steps to limit access to the aforementioned internal systems and tools, at least for the duration of the investigation.

The @TwitterSupport account has been largely quiet since issuing those statements, but it’s important to note that some news reports published in the wake of the hack stand at odds with Twitter’s official narrative.

As mentioned, Twitter said some of its employees fell prey to a social engineering attack. “Social engineering” is a term with many connotations, but is generally taken to mean that one party has tricked or manipulated another to gain information or access to resources that otherwise would have been off-limits. Meanwhile, a report published by Motherboard a few hours after the hack described the situation more bluntly. According to unnamed sources who allegedly took over some of the accounts themselves, hackers bribed at least one Twitter employee for access to powerful platform controls.

Motherboard’s interview revealed the existence of a control panel that certain Twitter employees have access to, which allows them to — among other things — change the email addresses connected to specific Twitter accounts. By changing information associated with some of those high-profile accounts, the hackers were able to temporarily transfer ownership to themselves. At this point, however, it’s unclear whether this method was used to gain control of all the affected accounts. It is worth noting, however, that one of Motherboard’s sources claims that a Twitter rep did “all the work” for them, suggesting a level of cooperation that isn’t directly addressed in Twitter’s statements.

In its first detailed statements since someone took over a number of high profile accounts Wednesday afternoon, Twitter posted a thread explaining “what we know so far.” While rumors have swirled about what may have caused a compromise that gave hackers access to Twitter accounts for Elon Musk, Bill Gates, Barack Obama, Apple, Kanye West and others, the company stated “We detected what we believe to be a coordinated social engineering attack by people who successfully targeted some of our employees with access to internal systems and tools.”

We know they used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf. We’re looking into what other malicious activity they may have conducted or information they may have accessed and will share more here as we have it.

— Twitter Support (@TwitterSupport) July 16, 2020

This was disruptive, but it was an important step to reduce risk. Most functionality has been restored but we may take further actions and will update you if we do.

— Twitter Support (@TwitterSupport) July 16, 2020

The company went on to say that after temporarily limiting Twitter activity — including a period where all verified accounts were prevented from tweeting — it has restored those features. Internally it’s limiting access to its tools while the investigation continues. Twitter did not comment on a report by Motherboard that included a picture of its internal tools, and cited anonymous sources in the SIM swapping community that said an insider did the work for them.

Group-IB’s report says fxmsp and his group sold network access to hotel chains, banks and other financial firms, making at least $1.5 million from their operation. As a result of their activities, their victims reportedly lost tens of millions of dollars to malware and network damage. They’ve been inactive since last year after fxmsp made headlines for advertising access to data from popular cybersecurity firms McAfee, Trend Micro and Symantec. However, at least one cybersecurity firm believes they’re still operating under different names.

Turchin has been charged with conspiracy to commit computer hacking, two counts of computer fraud and abuse, conspiracy to commit wire fraud and access device fraud. Law enforcement officials say he’s likely aware of the charges and that extradition to the US is unlikely, because Kazakhstan does not extradite nationals.