How Fast Recovery from Cyber Attacks Can Be Achieved

~ Reporter ~ Leave a comment

In today’s increasingly digital world, cyberattacks are a constant threat to organizations of all sizes. From ransomware to data breaches, the impact of a cyberattack can be devastating, affecting business operations, customer trust, and financial stability. However, with the right strategies and preparedness in place, organizations can recover from these attacks more swiftly and efficiently. The key to a fast recovery lies in a combination of proactive measures, well-practiced incident response, and effective use of technology.

1. Preparation is Key: Establishing a Robust Cybersecurity Framework

The foundation of a fast recovery from a cyberattack begins long before an incident occurs. Organizations need to develop a comprehensive cybersecurity strategy that includes preventive measures, continuous monitoring, and a response plan. Regular risk assessments should be conducted to identify vulnerabilities and address them before they can be exploited.

Key components of a cybersecurity framework include:

    • Employee Training: Ensuring employees are aware of cybersecurity threats like phishing and social engineering attacks.
    • System and Network Protection: Regular updates to security patches, firewalls, and antivirus software.
    • Data Encryption: Protecting sensitive data both in transit and at rest.
    • Backup Solutions: Ensuring that critical data is regularly backed up in a secure manner to enable recovery if compromised.

Having these practices in place significantly reduces the likelihood of an attack and minimizes its potential impact, leading to quicker recovery if one occurs.

2. Incident Response Plans: Speeding Up the Recovery Process

Even with the best preventive measures, no organization is entirely immune to cyberattacks. That’s where an Incident Response Plan (IRP) comes in. A well-structured IRP is crucial for minimizing damage and recovering as quickly as possible.

An effective IRP typically includes the following phases:

    • Preparation: Establishing protocols, teams, and tools in advance. This phase also involves creating a communication plan for internal and external stakeholders.

    • Identification: Rapidly detecting and identifying the attack, leveraging monitoring systems like intrusion detection and prevention systems (IDPS).

    • Containment: Quickly isolating the affected systems to prevent the attack from spreading further throughout the network.

    • Eradication: Removing malicious software, compromised data, and any other remnants of the attack.

    • Recovery: Restoring systems from secure backups and bringing affected services back online.

    • Lessons Learned: Analyzing the attack to improve defenses and prepare for future incidents.

The faster an organization can move through each of these stages, the quicker it will recover from an attack. Having a dedicated, well-trained incident response team is critical in accelerating this process.

3. Leveraging Technology for Faster Recovery

Technology plays a crucial role in speeding up recovery from cyberattacks. Tools like Security Information and Event Management (SIEM) systems provide real-time monitoring and alerts that can detect suspicious activity early, enabling a rapid response. Automated incident response tools can also streamline the containment and eradication process, reducing the need for manual intervention and minimizing human error.

In addition, cloud-based backup solutions ensure that businesses can quickly restore data without relying on physical hardware that could be compromised in the attack. Cloud backups also allow for remote recovery, providing businesses with more flexibility in the event of an attack.

For businesses affected by ransomware, decryption tools are also available for certain types of attacks. These tools, along with other threat intelligence resources, can help identify the attack vector, allowing organizations to accelerate the recovery process.

4. Communication and Transparency

During and after a cyberattack, clear and transparent communication with stakeholders—whether they are employees, customers, partners, or regulatory bodies—can make a significant difference in the speed of recovery. Keeping stakeholders informed can help to manage the reputation of the organization, maintain trust, and prevent the spread of misinformation.

An organization’s crisis communication plan should include:

    • Immediate notification to stakeholders about the incident, including the nature of the attack and any immediate actions being taken.

    • Regular updates throughout the recovery process, providing transparency about progress and any potential delays.

    • A clear explanation after recovery about what caused the attack, how it was mitigated, and the steps being taken to prevent future incidents.

Well-handled communication can help rebuild confidence in the organization and ensure continued cooperation from all involved parties.

5. Post-Attack Analysis: Learning and Improving

Once the immediate crisis has passed, the final step in speeding up future recovery is conducting a thorough post-mortem analysis of the attack. This involves investigating how the attack happened, what vulnerabilities were exploited, and which areas of the recovery process worked well and which ones need improvement.

By continuously improving the incident response process, updating security measures, and adapting to new threat landscapes, organizations can reduce the risk of a successful attack in the future and accelerate recovery in case of a subsequent breach.

6. The Role of Insurance

Another factor in speeding up recovery is cyber insurance. Having a well-structured cyber insurance policy can provide critical financial support to cover the costs of recovery, such as IT repairs, legal fees, and public relations efforts. Many policies also offer access to expert services in areas like forensics and incident response, which can further expedite the recovery process.

Conclusion

Achieving fast recovery from a cyberattack is a multi-faceted process that requires a combination of preparedness, well-coordinated response efforts, technology, and communication. Organizations that take a proactive approach by establishing robust cybersecurity frameworks, maintaining up-to-date incident response plans, leveraging the right tools, and continuously improving their strategies will find themselves better positioned to recover quickly from cyberattacks. In the face of such threats, speed and efficiency are essential to minimizing damage and protecting the long-term success of a business.

The post How Fast Recovery from Cyber Attacks Can Be Achieved appeared first on Cybersecurity Insiders.

from Cybersecurity Insiders https://ift.tt/n8Jwq1H
via IFTTT

AWS Weekly Roundup: AWS Step Functions, AWS CloudFormation, Amazon Q Developer, and more (February 10, 2024)

~ Reporter ~ Leave a comment

We are well settled into 2025 by now, but many people are still catching up with all the exciting new releases and announcements that came out of re:Invent last year. There have been hundreds of re:Invent recap events around the world since the beginning of the year, including in-person all-day official AWS events with multiple tracks to help you discover and dive deeper into the releases you care about, as well as community and virtual events.

Last month, I was lucky to be a co-host for AWS EMEA re:Invent re:Cap which was a nearly 4-hour livestream with experts featuring demos, whiteboard sessions, and a live Q&A. The good news is that you can now watch it on-demand! We had a great team and thousands of people enjoyed learning through the virtual experience. I recommend you check it out or share it with colleagues who have not been able to attend any re:Invent re:Cap events.

The Korean team also did an amazing job hosting their own virtual re:Invent re:Cap event, and it’s also now available on-demand. So if you speak Korean I do recommend you check it out.

If you’re more of a reader, then we have a treat for you. You can download the full official re:Invent re:Cap deck with all the slides covering releases across all areas by visiting community.aws! While there, you can also check all the upcoming in-person re:Invent re:Cap community events remaining across the globe for a chance to still attend one of those in a city near you.

But as we know, new releases, announcements, and updates don’t stop at re:Invent. Every week there are even more, and this is why we have this Weekly Roundup series that you can read every Monday to get the AWS news highlights from the week before.

So here’s what caught my attention last week.

Last week’s AWS Launches
If you use AWS Step Functions you may be interested in these:

Amazon Q Developer also got a couple of updates:

Here are some other releases that caught my attention this week from a variety of other AWS services:

AWS CloudFormation introduces stack refactoring – You can now split your CloudFormation stacks, move resources from one stack to another, and change the logical name of resources within the same stack. This adds a lot of flexibility enabling you to keep up with changes within your organization and architectures, such as streamlining resource lifecycle management for existing stacks, keeping up with naming convention changes, and other cases. You can refactor your stacks by using the AWS command line interface (CLI) or AWS SDK.

AWS Config now supports 4 new release typesAWS Config is great for monitoring resources across your AWS environment and help you towards ensuring alignment with your company and security policies as well as compliance requirements. It now has four new types of resources enabling you to monitor Amazon VPC block public access settings, any exceptions made within those settings, as well as monitor S3 Express One Zone bucket policies and directory bucket settings.

Automated recovery of Microsoft SQL Server on EC2 instan ces with VSS – You can now use a new feature called Volume Shadow Copy Services (VSS) to backup Microsoft SQL Server databases to Amazon Elastic Block Store (EBS) snapshots while the database is running. You can then use AWS Systems Manager Automation Runbook to set a recovery point of time of your preference and it will restore the database automatically from your VSS-based EBS snapshot without incurring any downtime.

Other updates
Upcoming changes to the AWS Security Token Service (AWS STS) global endpoint – To help improve the resiliency and performance of your applications, we are making changes to the AWS STS global endpoint (https://ift.tt/EaotxFO), with no action required from customers. Starting in early 2025, requests to the STS global endpoint will be automatically served in the same Region as your AWS deployed workloads. For example, if your application calls sts.amazonaws.com from the US West (Oregon) Region, your calls will be served locally in the US West (Oregon) Region instead of being served by the US East (N. Virginia) Region. These changes will be released in the coming weeks and we will gradually roll it out to AWS Regions that are enabled by default by mid-2025.

Upcoming AWS and community events

AWS Public Sector Day London, February 27 — Join public sector leaders and innovators to explore how AWS is enabling digital transformation in government, education, and healthcare.

AWS Innovate GenAI + Data Edition — A free online conference focusing on generative AI and data innovations. Available in multiple Regions: APJC and EMEA (March 6), North America (March 13), Greater China Region (March 14), and Latin America (April 8).

Browse more upcoming AWS led in-person and virtual developer-focused events.

Looking for some reading recommendations? At the beginning of every year Dr. Werner Vogles, VP and CTO of Amazon, publishes a list of recommended books that he believes should have your attention. This year’s list is looking particularly good in my opinion!

That’s it for this week! For a full list of AWS announcements, be sure to keep an eye on the What’s New with AWS page.

See you next time 🙂

Matheus Guimaraes | @codingmatheus

from AWS News Blog https://ift.tt/Embd0YP
via IFTTT

Kraken Ransomware strikes Cisco servers to steal data

~ Reporter ~ Leave a comment

Cisco, a global leader in networking equipment, has recently fallen victim to a sophisticated cyberattack, where sensitive data from its active directory environments was stolen, posted on the dark web, and potentially sold to interested parties. The attack has raised serious concerns about the security of the company’s operations and the potential long-term impact on its reputation.

The notorious Kraken ransomware gang has taken responsibility for the breach, claiming they had access to Cisco’s sensitive environments for several months. During this period, the hackers reportedly accessed critical data, including passwords, research and development information, and other proprietary details.

According to information provided by Cybersecurity Insiders, the stolen data included usernames, security identifiers, password hashes, financial information, and even some employee-related data. A dataset containing a mixture of these types of data was available on the dark web until the previous Friday, further heightening the severity of the incident.

However, Cisco’s internal security team, Cisco Talos, has since clarified that the leaked data is actually a result of an older cyber incident dating back to May 2022. They confirmed that their current networks are safe, with no evidence of any ongoing network infiltration. While this disclosure has provided some reassurance, the incident still highlights the persistent risks that organizations face in the ever-evolving landscape of cyber threats.

The news of the breach surfaced at a particularly sensitive time for Cisco, as the company had just announced its acquisition of SnapAttack, a threat detection platform aimed at enhancing Cisco’s security capabilities. This acquisition is expected to strengthen the Cisco Splunk business, accelerating its organic threat detection capabilities. However, the timing of the attack raises concerns about the company’s ability to maintain customer trust and the potential impact on future deals.

In the wake of such an attack, companies risk significant damage to their reputation. Cybersecurity breaches can erode trust among customers, partners, and other stakeholders, while also providing competitors with an opportunity to capitalize on the situation. This breach serves as a reminder of how vulnerable even the most established companies can be to cyber threats, and how the repercussions of such incidents can extend far beyond the immediate damage to the organization’s security.

The post Kraken Ransomware strikes Cisco servers to steal data appeared first on Cybersecurity Insiders.

from Cybersecurity Insiders https://ift.tt/dZ7jSGh
via IFTTT

Projecting the next decade of software supply chain security

~ Reporter ~ Leave a comment

With the rapid pace of innovation accelerating under a new administration, discussions over whether software security will be sidelined in favor of speed are heating up. However, security leaders have long been saying that security protocols shouldn’t slow down development plans — and they don’t when done correctly. This perception must be adopted more widely so that innovation and security can happen in tandem. 

Preventing thieves from entering your home in the first place 

Currently, the software industry stands at a crossroads. The past few years have seen devastating supply chain attacks — from the SolarWinds attack to the Log4Shell vulnerability — that have shaken our confidence in the fundamental security of our digital infrastructure. They took trusted tools and turned them into threats, and most of the industry was powerless. 

It’s akin to a burglar breaking into your home and even though you can see them raiding your personal belongings on your security camera, you can’t do anything about it until after the fact. What good are those cameras if they only record the theft, or scanners if they only catch threats already in your environment? What if you could prevent thieves from entering your home in the first place, and remove threats to your organization altogether? 

Shifting what it means to be secure and innovative 

Looking ahead to 2035, we envision a radically different landscape. Instead of development teams struggling with basic questions like “what’s actually in our software?” and “can we trust these dependencies?”, we see a future where development environments verifying the integrity of dependencies is as automatic as syntax highlighting is today. Where every container image is built directly from source and carries cryptographic proof of its build process and composition — and every vulnerability is patched. In this world, security is built in, and enables innovation. 

The building blocks of this transformation are already emerging. New standards for supply chain integrity are taking shape, pushed forward by executive orders and industry initiatives. Sigstore, for example, is demonstrating how we can make code signing ubiquitous and accessible. 

This isn’t just about better tools — it’s about fundamentally shifting how we think about security and productivity. The perception that security controls necessarily slow down development needs to be challenged. When thoughtfully designed and seamlessly integrated, security controls can actually accelerate development by eliminating entire categories of risks and the incidents they cause. 

Building a world where every line of code is secure by default

Getting to this future requires solving significant challenges and collaboration across the entire software ecosystem — from individual developers to the largest enterprises, from open-source maintainers to cloud providers. By making security an inherent part of our development tools and processes rather than an optional layer, we can build a world where every line of code is secure by default, and trust is established through verification rather than assumption. 

That’s essential not to just businesses, but to our society. As software increasingly powers critical infrastructure, medical devices, and financial systems, the security of our supply chain becomes inseparable from our collective security. 

This isn’t just an aspirational future — it’s an imperative one. The organizations that will thrive in 2035 will be those that recognized this reality in 2025 and began adapting accordingly.

Dan Lorenc is the co-founder and CEO of Chainguard. 

The post Projecting the next decade of software supply chain security appeared first on CyberScoop.

from CyberScoop https://ift.tt/qzdkNfb
via IFTTT

⚡ THN Weekly Recap: Top Cybersecurity Threats, Tools and Tips [10 February]

~ Reporter ~ Leave a comment

In cybersecurity, the smallest crack can lead to the biggest breaches. A leaked encryption key, an unpatched software bug, or an abandoned cloud storage bucket—each one seems minor until it becomes the entry point for an attack.
This week, we’ve seen cybercriminals turn overlooked weaknesses into major security threats, proving once again that no system is too small to be targeted. The question

from The Hacker News https://ift.tt/kR4HAMT
via IFTTT

What is a Seed Phrase Cyber Attack?

~ Reporter ~ Leave a comment

In the growing world of cryptocurrency and digital assets, security is a top concern. One of the most significant risks that cryptocurrency holders face is the potential for a seed phrase cyber attack. While these attacks are often misunderstood by casual users, understanding how they work can help individuals protect their digital wallets and assets from being compromised.

Understanding Seed Phrases: The Foundation of Cryptocurrency Security

A seed phrase (also known as a recovery phrase, mnemonic phrase, or backup phrase) is a series of 12 to 24 words that act as the key to a cryptocurrency wallet. These words are used to recover access to your wallet in case you lose your device, forget your password, or face other issues preventing you from accessing your funds. Essentially, the seed phrase acts as a master key, granting full control over the assets in the associated wallet.

Given their importance, it’s crucial to keep seed phrases secure and private. However, if attackers manage to gain access to this phrase, they can control the entire wallet and drain all of its assets.

How Seed Phrase Cyber Attacks Work

A seed phrase cyber attack refers to a situation where cybercriminals attempt to obtain a victim’s seed phrase to take over their cryptocurrency wallet. These attacks are a form of phishing or social engineering designed to trick victims into providing sensitive information.

Here are some common methods used by cybercriminals in seed phrase attacks:

1. Phishing Emails and Fake Websites- Attackers often send emails that appear to be from legitimate sources, such as wallet providers or cryptocurrency exchanges. These emails might contain links to fake websites that look nearly identical to official ones. Once the victim enters their seed phrase on these fake sites, the criminals can steal the data and access the wallet.

Phishing websites may ask users to “recover” their wallet or “verify” their identity by inputting their seed phrase, leading to a compromise of sensitive information.

2. Malware and Spyware- Malicious software can be used to infect a victim’s computer, phone, or browser. Once installed, malware may track keystrokes, take screenshots, or even monitor clipboard activities. If a user copies and pastes their seed phrase, this malware can capture it and send the information back to the attacker.

Some malware variants are specifically designed to target cryptocurrency wallets and their recovery phrases, providing attackers with a direct path to stealing funds.

3. Social Engineering- In social engineering attacks, attackers rely on manipulating the victim into revealing their seed phrase through conversation, messaging apps, or social media. These attacks may involve pretending to be a technical support agent, a friend, or someone in need of help. By building trust with the victim, the attacker can ask for the seed phrase under the guise of needing it for “security reasons” or “account recovery.”

4. Fake Mobile Apps and Wallets- Another common way attackers obtain seed phrases is by creating fraudulent mobile apps that mimic legitimate cryptocurrency wallets. These fake apps may look identical to official apps, tricking users into inputting their seed phrase. Once the seed phrase is entered, the attacker can use it to gain access to the user’s funds.

Consequences of a Seed Phrase Cyber Attack

When an attacker successfully obtains a victim’s seed phrase, they can fully control the wallet associated with it. This means they can transfer all the assets in the wallet to their own account, leaving the victim with nothing. Since cryptocurrency transactions are irreversible, victims may have little recourse in recovering their stolen funds.

Moreover, many victims of seed phrase attacks report feeling a sense of betrayal and loss due to the personal nature of the attack, especially when social engineering is involved.

How to Protect Yourself from Seed Phrase Cyber Attacks

Never Share Your Seed Phrase–The most important rule is simple: never share your seed phrase with anyone, under any circumstance. No legitimate service or company will ever ask for it. If someone does, it’s almost certainly a scam.

Use Hardware Wallets–Storing cryptocurrency on a hardware wallet is one of the most secure ways to protect your assets. These physical devices store your private keys offline, making it much harder for hackers to gain access remotely.

Enable Two-Factor Authentication (2FA)– Whenever possible, enable two-factor authentication (2FA) on your cryptocurrency accounts. This provides an extra layer of security and can help prevent unauthorized access to your accounts, even if your password is compromised.

Be Wary of Phishing Attempts–Always double-check the URL of any website you’re visiting. Avoid clicking on links from unknown emails or text messages. If you’re unsure, navigate directly to the official website by typing in the URL manually.

Keep Your Seed Phrase Offline–It’s vital to store your seed phrase offline in a secure location. Do not store it in digital form (e.g., screenshots, text files) on your computer, phone, or cloud storage. Consider writing it down on paper and keeping it in a safe place.

Beware of Malicious Software–Ensure that your devices are protected with up-to-date antivirus software. Avoid downloading apps or software from untrusted sources, and make sure to regularly update your device’s operating system to patch any vulnerabilities.

Avoid Public Wi-Fi –Avoid using public Wi-Fi networks when accessing your cryptocurrency wallet, as they can be insecure and easy targets for hackers. If you must use public Wi-Fi, consider using a VPN (Virtual Private Network) to encrypt your internet connection.

Conclusion

Seed phrase cyber attacks are a significant and growing threat in the world of cryptocurrency. These attacks rely on exploiting human error, trust, and technological vulnerabilities to steal valuable digital assets. By understanding how these attacks work and taking proactive measures to protect seed phrases, individuals can reduce the risk of falling victim to such scams. In the world of digital finance, securing your seed phrase is the first line of defense against losing control of your assets.

The post What is a Seed Phrase Cyber Attack? appeared first on Cybersecurity Insiders.

from Cybersecurity Insiders https://ift.tt/2vlXhaE
via IFTTT

NAKIVO Launches v11 with Agentless Backup and Recovery for Proxmox Virtual Environments

~ Reporter ~ Leave a comment

NAKIVO is one of the first data backup solution providers to support data protection for Proxmox virtual environments

SPARKS, Nevada – NAKIVO, the leading backup and disaster recovery solution provider, recently launched agentless backup support for Proxmox virtual machine data to cater to the needs of its diverse customer base. 

Backup for Proxmox VM data from NAKIVO

With Proxmox VE agentless backup, NAKIVO Backup & Replication extends the list of supported virtualization platforms, encompassing industry leaders like VMware, Hyper-V, Nutanix AHV, and now Proxmox VE.

  • Customers can protect their Proxmox VM data using agentless backup with a free 15-day trial. This support comes with a set of capabilities, such as:
  • Full and incremental, image-based Proxmox VM backup
  • Backup copy to remote sites, public clouds, other S3-compatible platforms and tape
  • Full VM data recovery
  • Instant recovery of files and app objects to the original or a custom location

Proxmox Backup: Key Challenges

Proxmox Backup Server (PBS) is designed for use with Proxmox VE, serving as the native solution for backing up and recovering Proxmox virtual machines. It offers snapshot-based data protection, replication, and recovery capabilities through both CLI and web-based interfaces, along with features like data deduplication and encryption. However, users may encounter several challenges that lead them to consider alternative solutions.

Backup tiering and automation

Implementing the 3-2-1 rule when it comes to backup data is recommended: you need to create at least three backup copies and send them to two different storage media, with one kept offsite or in the cloud. While it is possible to configure cloud backup synchronization using Proxmox Backup Server, the process involves manual setup, which is prone to human error. Large organizations and enterprises might find native Proxmox backup automation insufficient.

Anti-ransomware protection

Cyber attacks can target backups in addition to production data. This means that you need to protect your backup copies from ransomware or malware. While Proxmox Backup Server provides some security features, it is relatively complicated to configure immutability in PBS since it requires advanced IT expertise and third-party integrations, which might cause compatibility issues.

Multi-platform support

Proxmox Backup Server is mainly designed to provide data protection for Proxmox VE infrastructures and Linux-based machines. This can work well in homogenous Proxmox-based virtualization systems but it can lead to several issues if your infrastructure includes multiple platforms.

ABOUT NAKIVO

NAKIVO is a software vendor dedicated to delivering the ultimate backup, including NAKIVO backup solutions for MSPransomware backup protection and DR solution for VMWare, physical, cloud and SaaS environments. Over 29,000 customers in 183 countries trust NAKIVO to protect their data, including major companies like Coca-Cola, Honda, Siemens, and Cisco.

 

 

The post NAKIVO Launches v11 with Agentless Backup and Recovery for Proxmox Virtual Environments appeared first on Cybersecurity Insiders.

from Cybersecurity Insiders https://ift.tt/Xo5ik0B
via IFTTT

Teen on Musk’s DOGE Team Graduated from ‘The Com’

~ Reporter ~ Leave a comment

Wired reported this week that a 19-year-old working for Elon Musk‘s so-called Department of Government Efficiency (DOGE) was given access to sensitive US government systems even though his past association with cybercrime communities should have precluded him from gaining the necessary security clearances to do so. As today’s story explores, the DOGE teen is a former denizen of ‘The Com,’ an archipelago of Discord and Telegram chat channels that function as a kind of distributed cybercriminal social network for facilitating instant collaboration.

Since President Trump’s second inauguration, Musk’s DOGE team has gained access to a truly staggering amount of personal and sensitive data on American citizens, moving quickly to seize control over databases at the U.S. Treasury, the Office of Personnel Management, the Department of Education, and the Department of Health and Human Resources, among others.

Wired first reported on Feb. 2 that one of the young technologists on Musk’s crew is a 19-year-old high school graduate named Edward Coristine, who reportedly goes by the nickname “Big Balls” online. One of the companies Coristine founded, Tesla.Sexy LLC, was set up in 2021, when he would have been around 16 years old.

“Tesla.Sexy LLC controls dozens of web domains, including at least two Russian-registered domains,” Wired reported. “One of those domains, which is still active, offers a service called Helfie, which is an AI bot for Discord servers targeting the Russian market. While the operation of a Russian website would not violate US sanctions preventing Americans doing business with Russian companies, it could potentially be a factor in a security clearance review.”

Mr. Coristine has not responded to requests for comment. In a follow-up story this week, Wired found that someone using a Telegram handle tied to Coristine solicited a DDoS-for-hire service in 2022, and that he worked for a short time at a company that specializes in protecting customers from DDoS attacks.

A profile photo from Coristine’s WhatsApp account.

Internet routing records show that Coristine runs an Internet service provider called Packetware (AS400495). Also known as “DiamondCDN,” Packetware currently hosts tesla[.]sexy and diamondcdn[.]com, among other domains.

DiamondCDN was advertised and claimed by someone who used the nickname “Rivage” on several Com-based Discord channels over the years. A review of chat logs from some of those channels show other members frequently referred to Rivage as “Edward.”

From late 2020 to late 2024, Rivage’s conversations would show up in multiple Com chat servers that are closely monitored by security companies. In November 2022, Rivage could be seen requesting recommendations for a reliable and powerful DDoS-for-hire service.

Rivage made that request in the cybercrime channel “Dstat,” a core Com hub where users could buy and sell attack services. Dstat’s website dstat[.]cc was seized in 2024 as part of “Operation PowerOFF,” an international law enforcement action against DDoS services.

Coristine’s LinkedIn profile said that in 2022 he worked at an anti-DDoS company called Path Networks, which Wired generously described as a “network monitoring firm known for hiring reformed blackhat hackers.” Wired wrote:

“At Path Network, Coristine worked as a systems engineer from April to June of 2022, according to his now-deleted LinkedIn résumé. Path has at times listed as employees Eric Taylor, also known as Cosmo the God, a well-known former cybercriminal and member of the hacker group UGNazis, as well as Matthew Flannery, an Australian convicted hacker whom police allege was a member of the hacker group LulzSec. It’s unclear whether Coristine worked at Path concurrently with those hackers, and WIRED found no evidence that either Coristine or other Path employees engaged in illegal activity while at the company.”

The founder of Path is a young man named Marshal Webb. I wrote about Webb back in 2016, in a story about a DDoS defense company he co-founded called BackConnect Security LLC. On September 20, 2016, KrebsOnSecurity published data showing that the company had a history of hijacking Internet address space that belonged to others.

Less than 24 hours after that story ran, KrebsOnSecurity.com was hit with the biggest DDoS attack the Internet had ever seen at the time. That sustained attack kept this site offline for nearly 4 days.

The other founder of BackConnect Security LLC was Tucker Preston, a Georgia man who pleaded guilty in 2020 to paying a DDoS-for-hire service to launch attacks against others.

The aforementioned Path employee Eric Taylor pleaded guilty in 2017 to charges including an attack on our home in 2013. Taylor was among several men involved in making a false report to my local police department about a supposed hostage situation at our residence in Virginia. In response, a heavily-armed police force surrounded my home and put me in handcuffs at gunpoint before the police realized it was all a dangerous hoax known as “swatting.”

CosmoTheGod rocketed to Internet infamy in 2013 when he and a number of other hackers set up the Web site exposed[dot]su, which “doxed” dozens of public officials and celebrities by publishing the address, Social Security numbers and other personal information on the former First Lady Michelle Obama, the then-director of the FBI and the U.S. attorney general, among others. The group also swatted many of the people they doxed.

Wired noted that Coristine only worked at Path for a few months in 2022, but the story didn’t mention why his tenure was so short. A screenshot shared on the website pathtruths.com includes a snippet of conversations in June 2022 between Path employees discussing Coristine’s firing.

According to that record, Path founder Marshal Webb dismissed Coristine for making it known that one of its technicians was a Canadian man named Curtis Gervais who was convicted in 2017 of perpetrating dozens of swatting attacks and fake bomb threats — including at least two attempts against our home in 2014.

A snippet of text from an internal Path chat room, wherein members discuss the reason for Coristine’s termination: Allegedly, leaking internal company information. Source: Pathtruths.com.

On May 11, 2024, Rivage posted on a Discord channel for a DDoS protection service that is chiefly marketed to members of The Com. Rivage expressed frustration with his time spent on Com-based communities, suggesting that its profitability had been oversold.

“I don’t think there’s a lot of money to be made in the com,” Rivage lamented. “I’m not buying Heztner [servers] to set up some com VPN.”

Rivage largely stopped posting messages on Com channels after that. Wired reports that Coristine subsequently spent three months last summer working at Neuralink, Elon Musk’s brain implant startup.

The trouble with all this is that even if someone sincerely intends to exit The Com after years of consorting with cybercriminals, they are often still subject to personal attacks, harassment and hacking long after they have left the scene.

That’s because a huge part of Com culture involves harassing, swatting and hacking other members of the community. These internecine attacks are often for financial gain, but just as frequently they are perpetrated by cybercrime groups to exact retribution from or assert dominance over rival gangs.

Experts say it is extremely difficult for former members of violent street gangs to gain a security clearance needed to view sensitive or classified information held by the U.S. government. That’s because ex-gang members are highly susceptible to extortion and coercion from current members of the same gang, and that alone presents an unacceptable security risk for intelligence agencies.

And make no mistake: The Com is the English-language cybercriminal hacking equivalent of a violent street gang. KrebsOnSecurity has published numerous stories detailing how feuds within the community periodically spill over into real-world violence.

When Coristine’s name surfaced in Wired‘s report this week, members of The Com immediately took notice. In the following segment from a February 5, 2025 chat in a Com-affiliated hosting provider, members criticized Rivage’s skills, and discussed harassing his family and notifying authorities about incriminating accusations that may or may not be true.

2025-02-05 16:29:44 UTC vperked#0 they got this nigga on indiatimes man
2025-02-05 16:29:46 UTC alexaloo#0 Their cropping is worse than AI could have done
2025-02-05 16:29:48 UTC hebeatsme#0 bro who is that
2025-02-05 16:29:53 UTC hebeatsme#0 yalla re talking about
2025-02-05 16:29:56 UTC xewdy#0 edward
2025-02-05 16:29:56 UTC .yarrb#0 rivagew
2025-02-05 16:29:57 UTC vperked#0 Rivarge
2025-02-05 16:29:57 UTC xewdy#0 diamondcdm
2025-02-05 16:29:59 UTC vperked#0 i cant spell it
2025-02-05 16:30:00 UTC hebeatsme#0 rivage
2025-02-05 16:30:08 UTC .yarrb#0 yes
2025-02-05 16:30:14 UTC hebeatsme#0 i have him added
2025-02-05 16:30:20 UTC hebeatsme#0 hes on discord still
2025-02-05 16:30:47 UTC .yarrb#0 hes focused on stroking zaddy elon
2025-02-05 16:30:47 UTC vperked#0 https://ift.tt/Mw9jxbD
2025-02-05 16:30:50 UTC vperked#0 no fucking way
2025-02-05 16:30:53 UTC vperked#0 they even made a wiki for him
2025-02-05 16:30:55 UTC vperked#0 LOOOL
2025-02-05 16:31:05 UTC hebeatsme#0 no way
2025-02-05 16:31:08 UTC hebeatsme#0 hes not a good dev either
2025-02-05 16:31:14 UTC hebeatsme#0 like????
2025-02-05 16:31:22 UTC hebeatsme#0 has to be fake
2025-02-05 16:31:24 UTC xewdy#0 and theyre saying ts
2025-02-05 16:31:29 UTC xewdy#0 like ok bro
2025-02-05 16:31:51 UTC .yarrb#0 now i wanna know what all the other devs are like…
2025-02-05 16:32:00 UTC vperked#0 “`Coristine used the moniker “bigballs” on LinkedIn and @Edwardbigballer on Twitter, according to The Daily Dot.[“`
2025-02-05 16:32:05 UTC vperked#0 LOL
2025-02-05 16:32:06 UTC hebeatsme#0 lmfaooo
2025-02-05 16:32:07 UTC vperked#0 bro
2025-02-05 16:32:10 UTC hebeatsme#0 bro
2025-02-05 16:32:17 UTC hebeatsme#0 has to be fake right
2025-02-05 16:32:22 UTC .yarrb#0 does it mention Rivage?
2025-02-05 16:32:23 UTC xewdy#0 He previously worked for NeuraLink, a brain computer interface company led by Elon Musk
2025-02-05 16:32:26 UTC xewdy#0 bro what
2025-02-05 16:32:27 UTC alexaloo#0 I think your current occupation gives you a good insight of what probably goes on
2025-02-05 16:32:29 UTC hebeatsme#0 bullshit man
2025-02-05 16:32:33 UTC xewdy#0 this nigga got hella secrets
2025-02-05 16:32:37 UTC hebeatsme#0 rivage couldnt print hello world
2025-02-05 16:32:42 UTC hebeatsme#0 if his life was on the line
2025-02-05 16:32:50 UTC xewdy#0 nigga worked for neuralink
2025-02-05 16:32:54 UTC hebeatsme#0 bullshit
2025-02-05 16:33:06 UTC Nashville Dispatch ##0000 ||@PD Ping||
2025-02-05 16:33:07 UTC hebeatsme#0 must have killed all those test pigs with some bugs
2025-02-05 16:33:24 UTC hebeatsme#0 ur telling me the rivage who failed to start a company
2025-02-05 16:33:28 UTC hebeatsme#0 https://cdn.camp
2025-02-05 16:33:32 UTC hebeatsme#0 who didnt pay for servers
2025-02-05 16:33:34 UTC hebeatsme#0 ?
2025-02-05 16:33:42 UTC hebeatsme#0 was too cheap
2025-02-05 16:33:44 UTC vperked#0 yes
2025-02-05 16:33:50 UTC hebeatsme#0 like??
2025-02-05 16:33:53 UTC hebeatsme#0 it aint adding up
2025-02-05 16:33:56 UTC alexaloo#0 He just needed to find his calling idiot.
2025-02-05 16:33:58 UTC alexaloo#0 He found it.
2025-02-05 16:33:59 UTC hebeatsme#0 bro
2025-02-05 16:34:01 UTC alexaloo#0 Cope in a river dude
2025-02-05 16:34:04 UTC hebeatsme#0 he cant make good money right
2025-02-05 16:34:08 UTC hebeatsme#0 doge is about efficiency
2025-02-05 16:34:11 UTC hebeatsme#0 he should make $1/he
2025-02-05 16:34:15 UTC hebeatsme#0 $1/hr
2025-02-05 16:34:25 UTC hebeatsme#0 and be whipped for better code
2025-02-05 16:34:26 UTC vperked#0 prolly makes more than us
2025-02-05 16:34:35 UTC vperked#0 with his dad too
2025-02-05 16:34:52 UTC hebeatsme#0 time to report him for fraud
2025-02-05 16:34:54 UTC hebeatsme#0 to donald trump
2025-02-05 16:35:04 UTC hebeatsme#0 rivage participated in sim swap hacks in 2018
2025-02-05 16:35:08 UTC hebeatsme#0 put that on his wiki
2025-02-05 16:35:10 UTC hebeatsme#0 thanks
2025-02-05 16:35:15 UTC hebeatsme#0 and in 2021
2025-02-05 16:35:17 UTC hebeatsme#0 thanks
2025-02-05 16:35:19 UTC chainofcommand#0 i dont think they’ll care tbh

Given the speed with which Musk’s DOGE team was allowed access to such critical government databases, it strains credulity that Coristine could have been properly cleared beforehand. After all, he’d recently been dismissed from a job for allegedly leaking internal company information to outsiders.

According to the national security adjudication guidelines (PDF) released by the Director of National Intelligence (DNI), eligibility determinations take into account a person’s stability, trustworthiness, reliability, discretion, character, honesty, judgement, and ability to protect classified information.

The DNI policy further states that “eligibility for covered individuals shall be granted only when facts and circumstances indicate that eligibility is clearly consistent with the national security interests of the United States, and any doubt shall be resolved in favor of national security.”

On Thursday, 25-year-old DOGE staff member Marko Elez resigned after being linked to a deleted social media account that advocated racism and eugenics. Elez resigned after The Wall Street Journal asked the White House about his connection to the account.

“Just for the record, I was racist before it was cool,” the account posted in July. “You could not pay me to marry outside of my ethnicity,” the account wrote on X in September. “Normalize Indian hate,” the account wrote the same month, in reference to a post noting the prevalence of people from India in Silicon Valley.

Elez’s resignation came a day after the Department of Justice agreed to limit the number of DOGE employees who have access to federal payment systems. The DOJ said access would be limited to two people, Elez and Tom Krause, the CEO of a company called Cloud Software Group.

Earlier today, Musk said he planned to rehire Elez after President Trump and Vice President JD Vance reportedly endorsed the idea. Speaking at The White House today, Trump said he wasn’t concerned about the security of personal information and other data accessed by DOGE, adding that he was “very proud of the job that this group of young people” are doing.

A White House official told Reuters on Wednesday that Musk and his engineers have appropriate security clearances and are operating in “full compliance with federal law, appropriate security clearances, and as employees of the relevant agencies, not as outside advisors or entities.”

NPR reports Trump added that his administration’s cost-cutting efforts would soon turn to the Education Department and the Pentagon, “where he suggested without evidence that there could be ‘trillions’ of dollars in wasted spending within the $6.75 trillion the federal government spent in fiscal year 2024.”

GOP leaders in the Republican-controlled House and Senate have largely shrugged about Musk’s ongoing efforts to seize control over federal databases, dismantle agencies mandated by Congress, freeze federal spending on a range of already-appropriated government programs, and threaten workers with layoffs.

Meanwhile, multiple parties have sued to stop DOGE’s activities. ABC News says a federal judge was to rule today on whether DOGE should be blocked from accessing Department of Labor records, following a lawsuit alleging Musk’s team sought to illegally access highly sensitive data, including medical information, from the federal government.

At least 13 state attorney general say they plan to file a lawsuit to stop DOGE from accessing federal payment systems containing Americans’ sensitive personal information, reports The Associated Press.

Reuters reported Thursday that the U.S. Treasury Department had agreed not to give Musk’s team access to its payment systems while a judge hearing arguments in a lawsuit by employee unions and retirees alleging Musk illegally searched those records.

Ars Technica writes that The Department of Education (DoE) was sued Friday by a California student association demanding an “immediate stop” to DOGE’s “unlawfully” digging through student loan data to potentially dismantle the DoE.

from Krebs on Security https://ift.tt/YN7kEcF
via IFTTT