Blog entry by Les Bell

Les Bell
by Les Bell - Monday, 15 May 2023, 8:10 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Insider Gets Six Years for Extortion Attempt

Developers and especially ecurity professionals are among the most highly privileged insiders in most enterprises, with both high levels of access to many, if not all, systems - including logging and monitoring systems, in the case of secrity pros - plus the skills to both use and abuse them. It makes sense, therefore, to monitor their actions, taking a close look at their activities from time to time, rather than simply assuming they are trustworthy. Because sometimes, it turns out, they aren't.

A case in point is that of Nickolas Sharp, who we reported on back in February. Sharp misused his admin privileges to access his employer's AWS and GitHub accounts, stealing gigabytes of confidential data. To cover his tracks, he changed the log retention policies, altered other files and used a Surfshark VPN service in a failed attempt to conceal his IP address.

Worse, once the breach was discovered, Sharp sent the company an extortion demand for BTC50 and when they refused to pay, he leaked some of the data. However, by now the FBI had raided his home, confiscated his laptop and amassed a lot of evidence but - determined to prove the truth of the old adage that when you're in a hole you should stop digging, Sharp then went on a PR campaign, posing as a whistleblower and causing his employer's stock price to fall by 20% - that's more than a $US4 billion drop in market capitalization.

Sharp eventually pleaded guilty back in February, and his sentence has now been handed down.

U.S. Attorney Damian Williams said: “Nickolas Sharp was paid close to a quarter million dollars a year to help keep his employer safe.  He abused that trust by stealing a massive amount of sensitive data, attempting to implicate innocent employees in his attack, extorting his employer for ransom, obstructing law enforcement, and spreading false news stories that harmed the company and anyone who invested into the company.  Sharp now faces serious penalties for his callous crimes.”

US District Judge Katherine Polk Failla agreed, handing down a sentence of six years imprisonment, plus three years of supervised release. She also ordered Sharp to pay restitution of $US1,590,487 and to forfeit personal property used, or intended to be used, in connection with these offences. I don't think Sharp's pay in the prison laundry will allow his employer (coyly referred to as "Company-1" in the press release, but we all know who they are . . .) to ever see that $US1.5 million, though.

Biase, Nicholas, Former Employee Of Technology Company Sentenced To Six Years In Prison For Stealing Confidential Data And Extorting Company For Ransom, press release, 10 May 2023. Available online at https://www.justice.gov/usao-sdny/pr/former-employee-technology-company-sentenced-six-years-prison-stealing-confidential.

CISA Issues Papercut Advisory

Last month we brought you news of two critical vulnerabilities, discovered by Trend Micro, in the Papercut print management software. Now, the US Cybersecurity and Infrastructure Security Agency and the FBI have released a joint Cybersecurity Advisory (CSA), providing details of active exploitation of CVE-2023-27350. The FBI observed malicious actors exploit CVE-2023-27350, starting in mid-April 2023 and continuing through the present. In early May 2023, FBI observed a group self-identifying as the Bl00dy Ransomware Gang attempting to exploit vulnerable PaperCut servers in the Education Facilities Subsector. The advisory further provides detection methods for exploitation and details known indicators of compromise (IOCs) related to the group’s activity.

Cybersecurity and Infrastructure Security Agency and FBI, Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NG, Cybersecurity Advisory AA23-131A, 11 May 2023. Available online at https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-131a.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: