Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Matt Johansen Profile picture
@mattjay
Apr 18 13 tweets 5 min read Read on X
Scrolly
🧵 THREAD: A federal whistleblower just dropped one of the most disturbing cybersecurity disclosures I’ve ever read.

He's saying DOGE came in, data went out, and Russians started attempting logins with new valid DOGE passwords

Media's coverage wasn't detailed enough so I dug into his testimony:Image
Who’s the whistleblower?

Daniel Berulis — a senior DevSecOps architect at the National Labor Relations Board (NLRB), formerly with TS/SCI clearance.

He just told Congress the Department of Government Efficiency (DOGE) pulled off a covert cyber op inside a federal agency. Image
DOGE demanded root access.
Not auditor access. Not admin.

They were given “tenant owner” privileges in Azure — full control over the NLRB’s cloud, above the CIO himself.
This is never supposed to happen. Image
They disabled the logs.
Berulis says DOGE demanded account creation with no recordkeeping.

They even ordered security controls bypassed and disabled tools like network watcher so their actions wouldn’t be logged. Image
And then the data started flowing out.
10+ GB spike in outbound traffic

Exfiltration from NxGen, the NLRB's legal case database
No corresponding inbound traffic
Unusual ephemeral containers and expired storage tokens Image
They used an external library that used AWS IP pools to rotate IPs for scraping and brute force attacks.

They downloaded external GitHub tools like requests-ip-rotator and browserless — neither of which the agency uses. Image
The most daming claim in this statement IMO:

Within 15 minutes of DOGE accounts being created…
Attackers in Russia tried logging in using those new creds.
Correct usernames and passwords.

2 options here. The DOGE device was hacked. And I don't think I need to explain the 2nd. Image
Multi-factor authentication? Disabled.
Someone downgraded Azure conditional access rules — MFA was off for mobile.
This was not approved and not logged. Image
Cost spikes without new resources.
Azure billing jumped 8% — likely from short-lived high-cost compute used for data extraction, then deleted. Image
Then came the intimidation.

While preparing this disclosure, Berulis found a drone surveillance photo of himself taped to his front door with a threatening note.

This was just a few days ago. Image
US-CERT was about to be called in.
CISA’s cyber response team.
But senior officials told them to stand down — no report, no investigation. Image
I'm going to cover this more as I find out more.

Subscribe to stay up to date:

vulnu.com/subscribe

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Matt Johansen

Matt Johansen Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @mattjay

Matt Johansen Profile picture
Mar 5
MSFT released new research on Silk Typhoon's supply chain attacks.

Key shift: Group now heavily leveraging stolen API keys and PAM credentials to hit downstream customers, particularly state/local gov and IT sector targets.

Here's what we know 🧵
Initial access vectors include 0days, compromised third-party services, and password spraying.

Notable: Found several instances of corporate creds exposed via public GitHub repos being used in attacks. (They should be following @InsecureNature) Image
@InsecureNature Post-compromise, actors use stolen API keys to access downstream customer environments.

Primary focus: Data collection related to China interests, US gov policy, and LE investigations. Image
Read 8 tweets
Matt Johansen Profile picture
Feb 11
Hackers are using Google Tag Manager (GTM) to inject credit card skimmers into E-commerce sites.

At least 6 compromised sites identified so far. Here's what we're seeing. 👇
Malicious GTM script reference (GTM-MLHK2N68) stored in Magento's cms_block.content table.

Attackers using GTM as delivery mechanism to bypass security controls. Image
Obfuscated JS skimmer activates on checkout pages, exfiltrating card data to C2 domain eurowebmonitortool[.]com.

Additional persistence achieved via PHP backdoor in media/index.php allowing remote code execution through base64-encoded commands.

Gives attackers ongoing access post-cleanup.Image
Read 8 tweets
Matt Johansen Profile picture
Feb 6
🚨 New DPRK malware "FlexibleFerret" targeting MacOS discovered.

It's part of broader campaign that's been active since Nov 2023. Currently evading Apple's XProtect detection.

Here's what we know 👇
Campaign context: Threat actors posing as employers, targeting software devs through fake job interviews.

Previously identified by Unit 42 targeting Windows/Linux/MacOS platforms. Image
The new malware, discovered by SentinelLabs, is distributed via Apple Installer package, signed with valid Apple Developer sig + Team ID.

DPRK is apparently maintaining legitimate dev credentials. Image
Read 9 tweets
Matt Johansen Profile picture
Jan 7
Hackers claim to have compromised Gravy Analytics, exposing millions of smartphone location records—including data sold to U.S. government agencies.

This could be the first major breach of a location data broker. Here’s what you need to know 👇
Potential impact:
- Precise GPS coordinates + timestamps on millions of people
- User movement classifications ("LIKELY_DRIVING")
- Customer lists (Apple, Uber, Equifax & more)
- Root access to Gravy's servers, control of domains, and Amazon S3 buckets Image
For years, firms like Gravy have sold location data to military, DHS, and even the FBI. Now hackers claim to have access dating back to 2018.

Potential risks:
- De-anonymization of individuals
- Tracking high-risk people
- Exposure of schools, clinics, and more
(img: EFF) Image
Read 5 tweets
Matt Johansen Profile picture
Nov 27, 2024
This is nuts.

Major investigation reveals ExxonMobil allegedly orchestrated hack-for-hire campaign targeting 500+ climate activists and journalists. Image
The campaign deployed 28K+ malicious URLs and 100+ targeted phishing attempts.

It's annual budget is estimated at $10M+ through DCI Group (PR firm). Image
The chain that this report traced through:
DCI Group -> Israeli PI, Amit Forlit -> BellTroX InfoTech Services (India-based hack-for-hire). Image
Read 11 tweets
Matt Johansen Profile picture
Oct 10, 2024
New series of Palo Alto Networks vulnerabilities, chained together for a bad time.

“We find that a simple request to that exact endpoint over the web service resets the admin password.”

Well, I don’t like the sound of that… 🧵 Image
First up -

CVE-2024-9464 is an OS command injection vulnerability in Palo Alto Networks Expedition

This allows an authenticated attacker to run arbitrary OS commands as rootImage
Next -

CVE-2024-9465 is an SQL injection vulnerability in Palo Alto Networks Expedition

This allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys.Image
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(