Alabama state government admits attack, reveals few details

Infosec In Brief The Alabama state government is investigating an unspecified “cybersecurity event” that it said has affected some state systems, but didn’t involve the theft of citizen’s personal info.

The Alabama Office of Information Technology reported the incident to the public last week in a note that revealed it is working with outside cybersecurity consultants to secure and restore impacted systems. According to the statement, the incident was detected on Friday, May 9, and investigations determined crackers compromised some state employees’ username and password pairings.

The state government was reluctant to share details beyond that, and mentioned little more of substance in either a pair of subsequent [PDF] or updates [PDF]. It did indicate that the incident didn’t lead to any “major disruptions” to state services, and that PII of citizens continues to appear safe.

“OIT is not in a position to release additional details at this time,” the government said last Wednesday. “We do, however, want to assure the public that numerous highly skilled technical resources are in place and actively engaged as OIT responds to this event.”

We’re left to wonder whether the incident could have been avoided if the USA’s Cybersecurity and Infrastructure Security Agency’s Multi-State Information Sharing and Analysis Center (MS-ISAC) had avoided a $10 million funding cut last month, hampering the agency’s ability to share cyber threat information with state and local governments.

MS-ISAC offered a service known as the Cybersecurity Assistance Services Program that offered no-cost security advisory services to governments, but that was reportedly closed as part of the CISA budget cuts.

OIT has told all state government employees to “remain vigilant when replying to emails and/or clicking any links,” so we might have at least a bit of insight as to what caused the whole thing to kick off.

Online criminal marketplace operator extradited to US

A Kosovo man has become a Florida man after being extradited to the US to stand trial for allegedly operating an online criminal marketplace.

The US Department of Justice last week charged Liridon Masurica, also known as “@blackdb,” with operating the BlackDB.cc criminal marketplace since 2018. The site offered for sale stolen credit cards, compromised account credentials, and PII belonging mainly to individuals based in the United States. Purchasers of the purloined info mostly used it to commit fraud and other crimes.

The feds charged Masurica with one count of conspiracy to commit access device fraud and five counts of fraudulent use of 15 or more unauthorized access devices. If convicted on all charges, he faces up to 55 years in prison.

Law enforcement outfits have recently busted several illegal online marketplaces. Last December the feds rounded up the operators of the Rydox market in December, with German cops busting the administrator of Crimenetwork the same month. Dutch officials busted the operators of Bohemia and Cannabia a couple months prior.

Physical security firm not so cyber secure

Andy Frain Services, a company that offers physical security and event planning services to high-profile clients like the NFL, NBA, NASCAR and others, has admitted it might have missed the mark on digital security.

The company published a better-late-than-never breach notification letter last week in which it admitted that around 100,964 people were affected by a breach the Black Basta ransomware gang Black Basta has claimed was its evil work. The crew claimed it stole human resources files that included various forms of PII.

Black Basta listed Andy Frain on its breach website back in November 2024, and alleges it stole 750 GB of data from the company in a ransomware attack. It’s unknown if Andy Frain has paid a ransom.

Fancy Bear back to targeting Ukraine

Russian-backed cyber operators that use the names APT28, Fancy Bear, Forest Blizzard, Sofacy Sednit, have commenced a new campaign targeting Ukrainian systems according to security software vendor Eset.

This time around, APT28 is using spear phishing emails to target webmail servers that contain cross-site scripting vulnerabilities. If targets click, the gang injects malicious JavaScript code into webmail products like Roundcube, Horde, MDaemon and Zimbra.

Luckily for operators, the attack only functions inside the local web browser of the target’s machine, giving the group access to data belonging to that individual. Emails sent by APT28 targeted Ukrainian military, defense and transportation groups as, plus government officials. Other targets are linked to government operations in countries including Greece, Romania, Serbia, and Bulgaria.

The CVEs being abused in the campaign are all from 2024 or earlier. Webmail providers have some work to do!

Eurocops dismantle online investment fraud network

Europol says it has dismantled an investment scam network.

An organized crime group ran the network, which defrauded more than 100 people in Germany, Cyprus, Albania, the UK and Israel. Investors lost over €3 million ($3.35m).

Europol said the operation relied on getting marks to invest a little bit in a fake trading platform, then enticing them to invest more by showing off fake charts that depicted substantial gains. Members of the criminal group even posted as brokers to convince victims to spend more money, all of which was pocketed by the perps.

European authorities have tried to dismantle the gang for several years, with the first action taking place in 2022 with the arrest of suspects in Latvia and Belgium. Euro-cops arrested another suspect on May 13, and Europol said it plans to continue hunting the group. ®