Cyber
The Next Frontier
Become part of a critical layer of cyber defense. Cybersecurity positions will make up 45% of all US tech job openings.
The National Security Agency designated the University of Arizona's Cyber Operations program as a Center of Academic Excellence in Cyber Operations (CAE-CO). With this designation, UA joins an extremely exclusive group of only 24 cyber programs in the nation. The NSA's CAE-CO designation demonstrates that UA's Cyber Operations program meets the most demanding academic and technical requirements.
The Bachelor of Applied Science in Cyber Operations prepares graduates for cyber-related occupations in defense, law enforcement, and private industry.
Our curriculum includes both offensive and defensive cyber security content delivered within our state-of-the-art Virtual Learning Environment to ensure our students have extensive hands-on experiences to develop the knowledge, skills, and abilities necessary to succeed after they graduate.
Cyber
Engineering
Defense
& Forensics
Cyber Law
& Policy
Program News
DoD Cyber Scholarship Program (CySP)
The DoD CySP is a yearly scholarship program aimed at Juniors and Seniors pursuing a bachelor’s degree in cyber-related academic disciplines. The CySP is a 1-year scholarship, which grants selected Cyber Scholars tuition and mandatory fees (including health care), funding for books, a $25K annual stipend, and guaranteed employment with a DoD agency upon graduation.Cyber News
Alabama man arrested for role in SEC Twitter account hijacking
A 25-year-old Alabama man has been arrested and charged with hacking into the Securities and Exchange Commission’s Twitter/X account earlier this year and making fake regulatory posts that artificially inflated the price of Bitcoin by more than $1,000 per unit.
Eric Council Jr., a resident of Athens, Ala., was arrested Thursday morning and charged with aggravated identity theft and access device fraud in connection with the January 2024 incident.
According to the Department of Justice, the FBI and the SEC Inspector General, Council and other unnamed parties used SIM-swapping to steal the identity of a third-party individual with access to the SEC’s main account. The attackers only maintained control of the account for a short time, but before the SEC and Twitter/X could restore access back to the agency, they published a post imitating Chair Gary Gensler and announced that the listing of Bitcoin on registered national securities exchanges had been approved.
While the SEC did indeed eventually approve the listing, the premature posting caused considerable market disruption, sending the price up by $1,000 per bitcoin before falling by $2,000 per bitcoin when the announcement was revealed to be fake.
An internal investigation by the SEC earlier this year had already determined that the breach occurred through a SIM-swapping attack via a telecommunications carrier, and confirmed that the agency’s Twitter/X account did not have multifactor authentication in place. SIM-swapping attacks use social engineering and other methods to induce carriers to re-assign a cell phone number to another device controlled by the attacker.
“These SIM swapping schemes, where fraudsters trick service providers into giving them control of unsuspecting victims’ phones, can result in devastating financial losses to victims and leaks of sensitive personal and private information,” said U.S. Attorney Matthew Graves. “Here, the conspirators allegedly used their illegal access to a phone to manipulate financial markets. Through indictments like this, we will hold accountable those who commit these serious crimes.”
According to authorities, Council Jr., who went by the online handles “Ronin,” “Easymunny,” and “AGiantSchnauzer,” was provided a fake identification card template and other personal information for the individual controlling the number attached to the SEC’s account.
According to the indictment, Council was tipped off by other co-conspirators that an individual, identified only as “C.L” had a phone number with access to the SEC’s Twitter account. They then used an encrypted messaging service to send Council personal information, an identification card template and a photo of “C.L” to create a false identity. The co-conspirators also relayed that “C.L” had a cell phone account with telecommunications carrier AT&T.
Council, who had his own identification card printer, printed out the fake ID and used it at an AT&T store on Jan. 9, 2024, posing as an “FBI agent who broke his phone and needed a new SIM card.” After obtaining a replacement card, he visited another cell phone provider store and used it to re-assign C.L’s cell phone number to his device, giving him control over the individual’s phone, its data and access codes for the SEC’s Twitter/X account.
He then passed those codes along to his co-conspirators, who posted the fake tweet. He was paid an unspecified fee in bitcoin and later returned the phone.
Authorities claim Council Jr. later conducted a series of incriminating internet searches for “SECGOV hack,” “telegram sim swap,” “how can I know for sure if I am being investigated by the FBI,” and “What are the signs that you are under investigation by law enforcement or the FBI even if you have not been contacted by them.”
The short takeover of the account and the financial impact of the fake post caused outrage in Congress and among identity experts, who expressed disbelief that a high-profile social media account for an agency with market-moving regulatory powers was hijacked so easily and did not use multifactor authentication.
A Scoop News Group review of federal rules and regulations around agency social media use found that while many agencies strongly encouraged or internally required their accounts to have multifactor authentication and other protections in place, there are no standard or mandatory rules requiring them to do so.
The Office of Management and Budget, which has the authority to implement cybersecurity policy across the federal government, repeatedly declined to answer questions from CyberScoop in the wake of the hack about whether federal agencies were required to use multifactor authentication for social media accounts.
Grant Schneider, who served as federal chief information security officer in OMB before leaving government in 2020, told CyberScoop that much of the authority OMB and other agencies have over civilian federal cybersecurity policy derives from the Federal Information Security Management Act, a law originally passed in 2002 and updated in 2014.
Because that law is focused on “federal information and federal information systems,” when an agency is using a social media platform that is not housing or processing federal data, “I’m not convinced that OMB or [the Cybersecurity and Infrastructure Security Agency], at least under FISMA, has the authority to direct how agencies secure those accounts,” Schneider said.
The post Alabama man arrested for role in SEC Twitter account hijacking appeared first on CyberScoop.
Brazil’s Federal Police arrest alleged National Public Data hacker
The Federal Police of Brazil on Wednesday arrested a person allegedly responsible for a series of audacious data breaches targeting large international companies and U.S. government entities.
The suspect, who is known in the cybercrime underground as USDoD or EquationCorp, is allegedly the person responsible for a breach of the online background check and fraud prevention service National Public Data, exposing personal information and Social Security numbers of millions of Americans. Brazilian authorities also say the suspect is responsible for compromising the FBI’s InfraGard — a portal used by American law enforcement to share critical threat information.
The Brazilian police did not name the suspect. In August, Brazilian tech publication Tecmundo reported that CrowdStrike had given a report to Brazilian police naming a 33-year-old “Luan “B.G.” as the person responsible for breaching National Public Data. Shortly thereafter, a “Luan” told HackRead that CrowdStrike had doxxed him and claimed responsibility for the breach.
CyberScoop confirmed “Luan” is a 33-year-old Brazilian national via his Instagram account. Brazilian police could not be reached for comment.
Brazilian authorities arrested the attacker Wednesday in Belo Horizonte, Brazil’s sixth-largest city. Authorities said the suspect was arrested “under warrants issued for past illegal data sales, specifically on May 22, 2020, and February 22, 2022.”
The data breach at National Public Data compromised 2.9 billion records, including full names, addresses, birth dates, phone numbers, and Social Security numbers. The stolen data spans at least three decades and was being sold on the cybercrime underground with server credentials for $3.5 million.
A screenshot of the listing on a cybercrime forum tied to the National Public Data breach.
Brazilian police also say the suspect is responsible for data breaches on other entities, including Airbus and the Environmental Protection Agency.
This arrest marks another step in Brazil’s ongoing battle against cybercrime, following a successful operation earlier this year that dismantled a criminal group behind the banking malware Grandoreiro, which has defrauded victims of millions dating back to 2019.
The post Brazil’s Federal Police arrest alleged National Public Data hacker appeared first on CyberScoop.
Pyongyang on the payroll? Signs that your company has hired a North Korean IT...
If your remote employee insists on using their own devices, won’t show up on webcam and frequently changes their payment services, you may have accidentally hired a North Korean operative.
Those are some of the tactics wielded by the actors behind what Secureworks refers to as Nickel Tapestry, a group known for planting fake IT workers at Western commercial companies to raise money for North Korea’s nuclear weapons programs, according to new research from Secureworks.
Based on numerous incident response engagements, the findings detail a range of tactics used by the group to infiltrate companies in the U.S., U.K. and Australia on behalf of North Korea, often for profit. While the identities of the impacted firms were withheld, the research reveals common behaviors and techniques that could help cybersecurity professionals sniff out possible imposter employees.
Most of the time, the primary objective behind these schemes was simply drawing a salary for as long as possible, money that federal authorities and other experts say usually goes directly to funding North Korea’s nuclear weapons program. But Secureworks said these employments sometimes morphed into broader efforts to thieve intellectual property data or extort the companies for larger payments.
In one instance, a hired worker used their employer’s virtual desktop infrastructure to access and steal proprietary data. When they were eventually fired for poor performance, they attempted to ransom the stolen data back to the company for hundreds of thousands of dollars in cryptocurrency.
Secureworks also observed the group taking extensive efforts to avoid using corporate laptops, while obfuscating their real location. In some cases, the workers requested permission to use their own personal laptops or virtual desktop infrastructure. Others would simply change the delivery address to send their work device to a laptop farm masked with a U.S. IP address, a technique that was also highlighted in an FBI advisory released last year.
When they were forced to use corporate work devices, the plants would often cite technical issues to avoid showing up on webcams for work meetings. There is also evidence that some used virtual video-cloning software and other tools.
“Based on these observations, it is highly likely that the threat group is experimenting with various methods for accommodating companies’ requests to enable video on calls,” Secureworks’ counter threat unit research team wrote.
The group also created entire fake networks of employees and companies to provide operatives with work references, redirect payments and, in at least one case, replace other operatives once they were fired or left a company. Oftentimes these operatives use similar email and resume formats, or display multiple writing styles, indicating that each persona may have more than one operative behind it.
To sidestep detection by banks, these workers would sometimes rapidly update their bank accounts or use digital payment services like Payoneer. CyberScoop has reached out to Payoneer’s press office for comment.
Other common behaviors associated with campaign operatives were listing between 8-10 years of work experience, communicating at odd times of day that don’t match their listed location or time zone, demonstrating novice or intermediate English skills and sounding like “they are speaking from a call center environment.”
While each behavior is typically harmless and common among global remote IT workers, when combined, they might suggest a company has unknowingly hired a North Korean agent.
Due to international sanctions limiting traditional business avenues, North Korea increasingly uses cybercrime and operations like Nickel Tapestry to fund its military and weapons programs.
In 2022, the FBI, Treasury Department and State Department put out a public warning calling North Korea’s IT worker infiltration program “a critical stream of revenue” for the regime. Employees placed at Western firms — who are actually based in China or Russia — are able to make as much as $300,000 a year, and often make 10 times the income they would earn as an average factory or construction worker inside North Korea.
North Korean leader Kim Jong Un has heavily invested in IT infrastructure inside the country, which is used to foster the skill sets needed to obtain employment overseas, including establishing rigorous IT degree programs within North Korea and training at regional IT research centers abroad.
Cybersecurity experts believe the practice is more widespread than the public understands. Researchers at Mandiant and Google Cloud said last month that these workers often have multiple jobs with different organizations and maintain high-level access to production systems and source code, potentially enabling future cyberattacks on company infrastructure.
“I’ve spoken to dozens of Fortune 100 organizations that have accidentally hired North Korean IT workers,” Charles Carmakal, the firm’s chief technology officer, said in a statement last month.
The post Pyongyang on the payroll? Signs that your company has hired a North Korean IT worker appeared first on CyberScoop.
GitHub patches critical vulnerability in its Enterprise Servers
GitHub’s latest Enterprise Server update fixes a critical vulnerability that allows authentication bypass for on-premise deployments, according to the company.
The bug — CVE-2024-9487 — impacts GitHub’s enterprise product and does not affect its software-as-a-service products, according to the company’s release. The Microsoft-owned company said the bug, which is a 9.5 on the CVSS scale, would allow hackers to bypass a method typically used by companies to verify employee identities using single sign-on called Security Assertion Markup Language (SAML).
Chris Hatter, chief technology officer of the application security company Qwiet.Ai, called the vulnerability “severe” and said that organizations should ensure they understand their relevant network architectures.
Hatter said companies should block any “routes to this access” and ensure that they have “telemetry to be able to understand who is accessing these resources by whom and from where.”
Hatter said a typical attack would likely require a malicious actor to already have access to internal networks in order to use the vulnerability. He cautioned that some organizations might publish Enterprise Servers to the open internet, but it would be unusual.
The bug forges the authentication request that identity providers use to verify a person is signing onto an approved service. Most people have multiple identities for work — a recent report from Push Security noted that companies have on average 15 identities per employee — and SAML SSOs help organizations manage authorization and access.
Hatter said GitHub Enterprise Servers could be a “treasure trove of information” for hackers. Accessed instances could include “source code, architectural documents, information about developers,” which could be useful for espionage, social engineering attacks, and IP theft, among other acts.
“If you have access to the source code and you have administrative privileges into the source code management systems, theoretically you could start to manipulate that source code and implement a back door,” Hatter said.
GitHub’s latest update fixes a regression of CVE-2024-4985, a vulnerability with a 10.0 CVSS score that was first patched by GitHub in May.
The Oct. 6 update had two other security fixes: a bug in SVG assets that allows for possible metadata retrieval — CVE-2024-9539 — and a functionality from the management console that could allow sensitive data exposure in HTML forms was removed.
The post GitHub patches critical vulnerability in its Enterprise Servers appeared first on CyberScoop.
Alleged Anonymous Sudan leaders charged, prolific gang’s tool disabled
A federal grand jury unsealed an indictment Wednesday against two Sudanese brothers allegedly behind Anonymous Sudan, a cybercriminal outfit responsible for tens of thousands of attacks designed to knock websites and services offline. Authorities also unsealed a criminal complaint and announced they had disabled the group’s powerful tool for conducting attacks.
Ahmed Salah Yousif Omer, 22, and Alaa Salah Yusuuf Omer, 27, face charges of one count of conspiracy to damage protected computers, with Ahmed facing three counts of damaging protected computers as well. The indictment says the conspiracy involved “knowingly and recklessly” attempting to cause serious bodily harm and death after an attack on a prominent Los Angeles hospital crippled its website and web services, forcing the Cedars-Sinai Medical Center to send emergency room patients elsewhere for several hours.
Companies that aided the Justice Department in their pursuit of the men said it was remarkable how effective they were able to be with one of the more common kinds of cyberattacks, distributed denial of service (DDoS), where the attackers overwhelm a server with traffic to bring it down.
“It is remarkable that just two individuals, with a relatively small investment of time and resources, were able to create and maintain a DDoS capability potent enough to disrupt major online services and websites,” CrowdStrike wrote in a blog post.
Tom Scholl, Amazon Web Services vice president and distinguished engineer, said the company’s security team was “a bit surprised about how brazen they were, and by the ease with which they were impacting high profile targets.”
More prominent victims besides the hospital include tech firms including Cloudflare, Microsoft, PayPal, X, and Yahoo, with the gang also claiming attacks against the DOJ, FBI, State Department, transportation and education infrastructure, and governments in other parts of the world.
Anonymous Sudan employs a tool that it markets as the Godzilla Botnet, Skynet Botnet or InfraShutdown, and sells its services to criminals. In total, it has been used in 35,000 attacks since the gang began operations at the beginning of 2023, according to the complaint.
The brothers have reportedly been in custody since March after they were arrested abroad in an unnamed country, when the U.S. Attorney’s Office of the Central District of California and the Justice Department also seized and disabled their DDoS tool.
“Their motivations, while often masked under religious or Sudanese nationalist sentiments, were primarily driven by a desire for notoriety and attention,” CrowdStrike said. Scholl said the group’s big attacks were a form of marketing its services — complete with rate cards and contact information — to others.
Anonymous Sudan’s name, according to the complaint, is an ode to the brothers’ home country. Experts have often maintained that Anonymous Sudan was a front group for the pro-Russia hacktivist collective Killnet, but the complaint disputes that, although it notes the “the group may share ideologies with, and sometimes appears to act in concert with, Killnet and similar hacktivist groups.”
CrowdStrike said Anonymous Sudan’s “success stemmed from a combination of factors: a custom-built attack infrastructure hosted on rented servers with high bandwidth, sophisticated techniques for bypassing DDoS mitigation services, and the ability to quickly identify and exploit vulnerable API endpoints that, when overwhelmed with requests, would render services inoperable and disrupt user access.”
The post Alleged Anonymous Sudan leaders charged, prolific gang’s tool disabled appeared first on CyberScoop.