Posts

Attackers Demand $2.5 Million Ransom After Coordinated Ransomware Attacks on Texas Government Entities

/0 Comments/in /by
  • Two of the impacted municipalities, the City of Borger, and the City of Keene, have publicly disclosed that they’ve been impacted by the coordinated ransomware attack.
  • Keene Mayor Gary Heinrich said that the threat actor infiltrated into the city’s IT software, which is managed by a managed service provider (MSP).

The attacker who hit over 22 local government entities in Texas with a coordinated ransomware attack has demanded a collective ransom payment of $2.5 million.

Update on the attack

  • An update from the Department of Information Resources (DIR) reveal that the number of impacted entities has come down to 22.
  • Nearly 25% of the impacted entities have been moved from the response and assessment stage to remediation and recovery stage.
  • A number of impacted entities have restored their operations back to normal.
  • However, the identities of the impacted entities still remain undisclosed because of security reasons.

Meanwhile, two of the impacted municipalities have publicly disclosed that they’ve been impacted by the ransomware attack.

City of Borger

  • The City of Borger in Texas has released a press release stating that the attack has impacted the City’s business and financial operations.
  • However, the City assured that it continues to provide phone services and other basic emergency services such as Police, Fire, 9-1-1, Animal Control, Water, Wastewater and Solid Waste Collection.
  • The City confirmed that it is currently working with responders to bring its computer systems back online.

“State and Federal agencies continue investigating the origins of this attack; however response and recovery are the City’s priority at this time. Based on the current state of the forensic investigation, it appears that no customer credit card or other personal information on the City of Borger’s systems have been compromised in this attack,” read the press release.

City of Keene

The City of Keene in Texas admitted in a Facebook post that the attack has impacted the City’s services to process credit card payments.

“Keene is working with law enforcement to resolve a cyber incident that impacted servers state-wide. Because this is an investigation, we can’t share much.
Here’s what you need to know:
• No credit card payments or utility disconnections for now
• Our drinking water is safe
• Check back here for updates,” read the Facebook post.

Keene Mayor Gary Heinrich told National Public Radio that the threat actor infiltrated into the city’s IT software that is managed by an outsourced company, which also supports many of the other affected municipalities. Heinrich added that the threat actor demanded a collective ransom of $2.5 million.

“They got into our software provider, the guys who run our IT systems. A lot of folks in Texas use providers to do that, because we don’t have a staff big enough to have IT in house,” said Henrich.

  • + Aware

New phishing scam asks users to confirm unsubscribe request

/0 Comments/in /by
  • The scam emails have subject lines similar to “Confirm your unsubscribe request” or “Client #980920318 To_STOP_Receiving These Emails From Us Hit reply And Let Us Know”.
  • This scam aims to harvest active email addresses that can be used for various other scam campaigns.

Researchers have observed a long-running phishing scam campaign that pretends to be an unsubscribe confirmation request. This scam aims to harvest active email addresses that can be used for various other scam campaigns.

How does the scam work?

The scam emails have subject lines similar to “Confirm your unsubscribe request” or “Client #980920318 To_STOP_Receiving These Emails From Us Hit reply And Let Us Know”.

  • The emails include a link and ask users to click on the link in order to unsubscribe.
  • Upon clicking on the link, it will compose a new message with the subject of ‘Unsubscribe’, and aims to send it to 15 to 20 email addresses.
  • These email addresses are for domains hosted by noip.com’s free dynamic DNS service.
  • Upon sending the email, the scammers behind this campaign will get a list of active email addresses.
  • The list can then be sold to other scammers or can be used in various other scam campaigns.

“Please_confirm your Unsubscribe
To confirm your Unsubscribe, please click here or on the link below.
Unsubscribe me!
Thank you!,” the phishing email read, BleepingComputer reported.

How to stay protected?

  • It is always recommended to never open any email or click on any attachment /link that is from anonymous senders.
  • Upon opening the link, if you’re asked to send an email to 15-20 email addresses, do not send the email and simply delete the email.

Windows 7 and Office 2010 Support Ending Soon: Security Suites Continue to Provide Protection!

/0 Comments/in /by

January 14, 2020 is the day: Microsoft will retire Windows 7 and Office 2010 without fail. That is also the day when extended support will end. At least for consumer users, it will be the end of the road. Corporate users can still buy a reprieve.

Windows 7 support to end soonJanuary 2020 will see the end of Windows 7 support. Already in January 2015, Microsoft sounded the initial warning bell, as that month marked the end of regular support for Windows 7. In just one year from now, January 14, 2020, the large final gong will sound, ending even so-called extended support. After that date, there will be no more updates for bug fixes, for more security, or for internal Microsoft applications. For private users, the installed security suite will be required to take over the entire protection task from that point on. Corporate users will have it a bit easier, as they will be able to purchase another 3-year support package. Microsoft is offering the so-called Extended Security Updates (ESU) until January 2023. There are no official prices on this.

Office 2010 is also at the end of its life cycle

Incidentally, Microsoft is also sending Office 2010 into retirement. There will be no further updates after October 2020 for that application either. That doesn’t sound terrible at first, but it is. Because in the past, there have always been critical vulnerabilities in Office products which hackers have exploited. The Office 2013 version is expected to be supported until 2023. The follow-up or update version, Office 2016, is currently being actively promoted at low prices. Switching over to Office 2016 or even to the new 2019 version is not quite as dramatic as changing an operating system.

Internet security suites will provide protection even after 2020

Most manufacturers of security packages will still support their version even after 2020. However, the security packages on an old Windows 7 system will be required to monitor for more and more security gaps over time. Those who wish to or have no choice but to keep using Windows 7 ought to refrain from using certain applications, because Internet Explorer, for example, will no longer be receiving any updates.

Especially an outdated Internet Explorer or a vulnerable Outlook will significantly increase the risk of a malware infection. Microsoft will probably discontinue support for Security Essentials in 2020 as well. At least, that was the procedure when support of Windows XP was ended.

That is why users ought to look closely at whether their PC is still suitable for Internet use after 2020. Sometimes an old Windows operating system is only needed because special hardware needs to be controlled or industry software will not continue to run otherwise. However, Internet access is usually not absolutely necessary in that case.

Microsoft provides clarity on questions about end of support
On a FAQ page, Microsoft provides answers to many open questions about the end of support

zoom ico

So how much time do the users have left?

Naturally, manufacturers of security software will not support the outdated Windows 7 forever. The procedure is expected to be similar to the discontinuation of Windows XP. The normal versions for consumer users were supported by most providers for at least 12 months. Some even offered additional updates for 24 months. For enterprise products, the phase is usually longer, as they often include special extended support.

Those who are unsure can always inquire with the manufacturer of their security solution.

Private users ought to consider switching to another operating system. Windows 8.1 is not recommended, however, as regular support for that system already ended in January 2018. The extended support also only continues until 2023. That is why consumer users need to accept the possibility of upgrading to Windows 10 where possible.

Update and support for Windows 10

Looking at the Windows lifecycle fact sheet on Microsoft’s website and reading the item concerning the editions of Windows 10, it is confusing at first. Because Microsoft does not provide a specific end date for support. After each major update for the Home and Pro versions, which are always expected to be released in March and September, support will continue for another 18 months. The support period for the Enterprise and Education versions even runs a bit longer. If Microsoft adheres to its deadlines, then after the October 2018 update (version 1809), the new March or April 2019 update will be almost around the corner.

Thus: only those who always participate in the major updates, such as the Creators Update, will also remain in the support agreement. Those who don’t install the updates will no longer receive support at some point.

Continuously new vulnerabilities

On the large February 2019 Patch Tuesday – for all operating systems and Windows applications – there were notices concerning more than 70 new security vulnerabilities. Microsoft classified 20 of them as critical. These gaps are still being closed. As of January 14, 2020, the messages about Windows 7 and its internal tools will still keep piling up, but the gaps will no longer be closed. That will be the beginning of many attacks. The Hasso Plattner Institute’s Database for Vulnerability Analysis, for example, identifies in 2018 alone more than 150 vulnerabilities for Windows 7.

Enterprise Cloud Infrastructure a Big Target for Cryptomining Attacks

/0 Comments/in /by

Despite the declining values of cryptocurrencies, criminals continue to hammer away at container management platforms, cloud APIs, and control panels.

The cloud-based infrastructures that enterprise organizations are increasingly using to run their business applications have become a major target for illicit cryptomining operations.

According to new research from AT&T Cybersecurity, cryptomining has become the primary reason for most cloud infrastructure attacks these days. There’s no sign the attacks will let up soon, either, despite the drop in values of major cryptocurrencies, the vendor said in a report Wednesday.

Cryptojacking — or attacks where an organization’s (or an individual’s) computers are surreptitiously used to mine for Monero and other cryptocurrencies — has emerged as a major problem over the last 18 months or so.

Cybercriminals have been extensively planting mining tools such as Coinhive on hacked websites and quietly using the systems of people visiting the sites to mine for cryptocurrencies. They have also been deploying mining software on larger, more powerful enterprise servers and on cloud infrastructure for the same purpose.

“Hijacking servers to mine currency really picked up in 2017, at the height of the cryptocurrency boom when prices were at the highest and the potential rewards were very significant,” says Chris Dorman, security researcher at AT&T Cybersecurity. “Even though bitcoin prices have dropped 80% since their peak, the prevalence of server cryptojacking continues.”

AT&T Cybersecurity’s researchers examined cryptomining attacks against a range of cloud infrastructure targets. Container management platforms are one of them. The security vendor says its researchers have observed attackers using unauthenticated management interfaces and open APIs to compromise container management platforms and use them for cryptomining.

As one example, the researchers pointed to an attack that security vendor RedLock first reported last year, where a threat actor compromised an AWS-hosted Kubernetes server belonging to electric carmaker Tesla and then used it to mine for Monero. AT&T Cybersecurity said it has investigated other similar incidents involving malware served from the same domain that was used in the Tesla attack.

Attackers have also been frequently targeting the control panels of web hosting services, as well. In April 2018, for instance, an adversary took advantage of a previously unknown vulnerability in the open source Vesta hosting control panel (VestaCP) to install a Monero miner on web hosts running the vulnerable software.

Container management systems and control panels are not the only cloud infrastructure targets. API keys are another favorite. AT&T Cybersecurity says many attackers are running automatic scans of the web and of sites such as GitHub for openly accessible API keys, which they then use to compromise the associated accounts.

The trend requires due diligence on multiple fronts. Almost all server-side exploits in the cloud, for instance, stem from exploits in software such as Apache Struts and Drupal, Dorman says. “Typically, we see the attackers start scanning the Internet for machines to compromise within two or three days of an exploit becoming available,” he notes. So, keeping machines patched fairly quickly is key.

Similarly, ensuring complex password use and enforcing account lockouts is critical to preventing attackers from simply brute-forcing passwords to cloud servers, he says.

In terms of cloud accounts being compromised — when an attacker steals the root AWS key, for instance — there are free tools available to check all public source code and to verify if any credentials have been accidentally published, Dorman notes.

Malicious Docker images are yet another avenue of attack. Cybercriminals are hiding cryptominers in prebuilt Docker images and uploading them to Docker Hub, AT&T Cybersecurity said. Prebuilt images are popular among administrators because they can help reduce the time required to set up and configure a container app. However, if the image is malicious, organizations can end up running a cryptominer as well. So far, though, only a relatively small number of organizations have reported downloading and running malicious containers, AT&T Cybersecurity said.

For enterprises, cryptomining attacks in the cloud are a little trickier to address than attacks on on-premises systems. Deploying network detection tools, for instance, typically tends to be more difficult in the cloud. “You may have to rely upon your cloud provider letting you know if they see malicious traffic,” Dorman says.

It’s also important to centralize all logs provided by your cloud provider and to ensure that alerts are generated off of suspicious events. “For example, if you see someone log in to your root AWS account, and that isn’t normal for your environment, you should investigate immediately.”

4G and 5G protocols prone to privacy attacks, new study reveals

/0 Comments/in /by
  • The issue existed in the cellular paging (broadcast) protocol in the latest generation of mobile communications.
  • An exploit called ToRPEDO was revealed by the researchers to target 4G and 5G-enabled devices.

A new research study has uncovered serious privacy risks associated with 4G as well as the latest 5G protocols. The researchers discovered that attackers could break into devices running on these protocols to conduct denial-of-service attacks.

The study, which was done by scholars from Purdue University and the University of Iowa, analyzed cellular paging in 4G and 5G devices.

Worth Noting

  • Paging protocol balances the device’s energy consumption for different processes (for example, phone calls) running in the device.
  • Attackers can inject malicious paging messages into this protocol to perpetrate denial-of-service attacks.
  • Information such as device location, phone number, Twitter handles etc., could be compromised in 4G and 5G devices.
  • ToRPEDO, short for Tracking via Paging Message Distribution, is the method proposed by the researchers to exploit privacy.
  • IMSI-Cracking and PIERCER were the other two methods devised in the study.

Why it matters?

  • The development of 5G — the soon-to-be norm for mobile network protocols — will vastly be affected by this privacy issue.
  • Identities of 4G and 5G phone users could be exposed.
  • Sensitive information such as payment data of users could also be at risk.

The bottom line – Though the paper details loopholes in the telecommunication protocols, it also delineates the limitations associated with their attack methods.

“For ToRPEDO to be successful, an attacker needs to have a sniffer in the same cellular area as the victim. If the number of possible locations that the victim can be in is large, the expense of installing sniffers (i.e., $200 each) could be an impediment to carrying out a successful attack.”

Similarly, PIERCER would require a separate base station for the attack to be successful. The IMSI-Cracking attack only works when the victim does not realize that notifications are deactivated as part of the attack. In fact, this method was checked for 4G devices only and is not validated on 5G Networks.

Publish Date February 19, 2019 Reitspoof mysterious multistage malware makes its rounds

/0 Comments/in /by

A multi-staged malware dropping multiple payloads is infecting its victims without a clear purpose and has shown a significant uptick in activity since January 2019.

Dubbed Reitspoof, the malware has bot capabilities although Avast researchers believe it was primarily designed as a dropper, according to a Feb. 16 blog post.

The malware’s developers used several valid certificates to sign related files and the payloads went through development, namely changing the implementation of the Stage 3 communication protocol several times, the blog said.

“Rietspoof utilizes several stages, combining various file formats, to deliver a potentially more versatile malware,” researchers said. “Our data suggests that the first stage was delivered through instant messaging clients, such as Skype or Live Messenger.”

In the second stage the malware gains persistence using a technique to run an expanded Portable Executable (PE) binary after each reboot. In the third stage, the malware drops the bot payload and in the fourth stage the malware downloader will  attempt “to establish an authenticated channel through NTLM protocol over TCP with its C&C whose IP address is hardcoded.”

The malware also uses Visual Basic script for reading and deobfuscating embedded binaries, covers its tracks, and runs an expanded PE file after startup to ensure the executable will run if the machine is rebooted.

In addition nearly every version of the VBS file contains a new certificate and researchers noted the malware offers little evidence into the the of targets its seeks to infect. Researchers said its used of geofencing signifies other possible unknowns possibly suggesting that there are other samples only distributed to a specific IP address range that may have been missed by researchers

Woman loses nearly $18,000 in computer virus scam

/0 Comments/in /by

A woman is out nearly $18,000 after trying to fix what looked like a computer virus warning from Microsoft.

The Grand Island Police Department said the 74-year-old victim thought she was paying Microsoft to fix the problem after receiving a pop-up on her computer.

She said she handed over $17,849 in the form of Google Play cards over the course of several months before reporting the issue to police.

Officers said the whole thing was a scam, and they believe the scammer she was in contact with lived somewhere outside the U.S.

McAfee Advises Consumers that Weak Passwords, Phishing Scams and Malicious Apps Continue to Be a Threat

/0 Comments/in /by

On International Data Privacy Day, McAfee Reminds Consumers What Steps to Take to Protect Themselves

SANTA CLARA, Calif., January 27, 2019 – SANTA CLARA, Calif.–(BUSINESS WIRE)–On Data Privacy Day, McAfee warns consumers that cybercriminals are continuing to access personal information through weak passwords, phishing emails, connected things, malicious apps and unsecure Wi-Fi networks. McAfee is committed to helping consumers take the necessary steps to protect what matters through the tips listed below.

Weak Passwords: Consumers often pick simple passwords for the multiple accounts they use daily, not realizing that choosing weak passwords can open the door to identity theft and identity.

Tip: Use strong passwords that include uppercase and lowercase letters, numbers and symbols. Don’t use the same password for multiple accounts. Simplify your life by using a password manager to keep track of logins and create strong passwords that are difficult to hack.

Email phishing: Cybercriminals frequently dupe consumers by deploying phishing emails that appear to be sent by popular brands, such as Netflix and Spotify, disguised as a payment receipt.

Tip: Go directly to the source. Instead of clicking on a link within the email, it’s best to go straight to the company’s website to check the status of your account.

Malicious Mobile Apps: Malicious apps have become more challenging to detect, and there is no sign of them slowing down as bad actors have become more brazen with the apps they work to imitate.

Tip: Do research on the developer of a mobile app and never download an app from third-party app stores. Read the app reviews only download apps that have had healthy number of downloads.

Threats to Connected Things: IoT devices are becoming commonplace in homes thanks to their ease of use, but their poor security controls make them convenient targets for cybercriminals.

Tip: When buying new connected things, confirm that the vendor has a history of delivering secure devices that are privacy centric. Consider getting a router with built-in security features to make it easier to protect all the connected devices in your home.

Public Wi-Fi: Many consumers connect to public or semi-private Wi-Fi networks to improve their smartphone connection speeds or reserve data usage. However, many overlook the fact that public Wi-Fi are risky and could put them jeopardy to be targeted by hackers.

Tip: When connecting to public Wi-Fi, don’t connect to any services that share personal or financial information. Be sure to use a personal VPN when on the go, which allows users to securely connect and keep their personal data from prying eyes.

“Data Privacy Day is the perfect opportunity for consumers to educate themselves on the precautions required to safely embrace technologies and online experiences,” said Gary Davis, McAfee’s Chief Consumer Security Evangelist. “They should set aside time on this day to take active steps to evaluate the ways in which their data may be compromised and learn more about appropriate security and privacy techniques will help keep them and their families safe.”

About McAfee

McAfee is the device-to-cloud cybersecurity company. Inspired by the power

of working together, McAfee creates business and consumer solutions that make our world a safer place. www.mcafee.com

McAfee technologies’ features and benefits depend on system configuration and may require enabled hardware, software, or service activation. No computer system can be absolutely secure. McAfee® and the McAfee logo are trademarks of McAfee, LLC or its subsidiaries in the United States and other countries. Other marks and brands may be claimed as the property of others.

Antivirus headaches that compromise browser security

/0 Comments/in /by

If the goal is revenue, enterprises need to care about browser security

MIAMI — Google is one company that lives and dies in the web, so for many reasons, they need to care — a lot — about browser security. That was the focus of engineering lead for Chrome Security at Google, Justin Schuh’s keynote speech at this year’s Infiltrate 2017 conference.

There are three main reasons why Google needs to care. First, pretty much all of its revenue is funneled through the browser, “People need to feel that it’s reasonably safe,” Schuh said.

Securing the web browser wasn’t always a paramount concern, though, even for Google. What served as a huge wake up call for them was Operation Aurora in 2009. State-sponsored hackers broke into Google, which actually caused a significant change.

Few know better than those in the security industry that change doesn’t always come easily. One reason that change is slow going stems from what Schuh called, “Open source hippies. People approach things wildly differently. We believe in the web as an ecosystem, and that we can move the whole thing forward and make it a lot better.”

With all that wisdom and good intention, why is browser security so tough?

“There are a lot of different things at play,” said Schuh. “There are a lot of diverse platforms on Chrome, and that makes security a particularly tricky thing, so you’re trying to support the same browser on a lot of different platforms. Then there’s the third party code issues.”

Not to mention the diverse constituencies that need to be catered to, from the developers and users being served to the employer goals and agendas. Security then has to figure out how that all fits together, said Schuh.

The added layer of competition on web ads, said Schuh, adds a lot of complexity. “That’s a big revenue funnel, and a lot of people are competing for that funnel. The browser is just a commodity, and the cost of switching is really low, especially when most users don’t understand security enough for it to influence their browser using decision.”

With all of these obstacles in mind, Chrome has defined three main strategies to approaching security, which include isolation, mitigations, and anti-abuse (the phishing and downloading stuff, Schuh said).

“Sandboxing is the big thing we focus on. It’s our strongest line of defense. It’s the number one thing that we do, so we keep building on and refining it. Isolation is the main thing we are investing most in, which differs from other browsers,” said Schuh.

In terms of mitigation, they discriminate a little more. “They have some use. If they don’t add significant code complexity and performance overhead, we use them. There’s been a lot of investment in Clan CFI, but with the goal of trying to build some sort of memory safe-ish inner sandbox thing.”

Google being Google, it does have a lot of resources available, which is especially beneficial when it comes to threat intelligence and being able to experiment at scale.

“HTTP2, that was something that grew out of an experiment at scale,” said Schuh.

Despite all of those available resources, they still come under friendly fire, which Schuh said is the invasive and unsafe stuff that gets bundled in or injected from browser plugins, OEM value adds, CERT authorities, and antivirus and other security products.

What’s so bad about them? Schuh asked. “They are breaking security expectations. These things are breaking your expectations on their way to introducing the most vulnerabilities they can.”

These third-party capabilities, including NPAPI plugins, are invasive and fundamentally unsafe, said Schuh. “It’s not really an API but an organic growth of leaky platforms. It’s a bundle of purely native code that operates outside of the browser constraints making it effectively impossible to sandbox.”

Given that the exchange of communications across the internet depends on every certificate authority being secure, relying on the CA to enforce the connection between the website and the browser also causes major headaches for security engineers.

“The system itself has no way of tying a cert to a specific CA, yet there are literally thousands of intermediary CAs. Any one of them can effectively be bypassed,” Schuh said.

Schuh’s deepest loathing, though, is the dreaded antivirus. Antivirus is what drives Schuh to vent on Twitter, he joked. Specifically, he shared the anecdote of an issue incurred with the antivirus man-in-the-middle cert, which uses weak hash algorithms.

“There was this huge spike in HTTPS errors, and clients couldn’t talk to to secure sites anymore,” Schuh said. When he contacted the antivirus vendor, no one was familiar with the code. “Someone suggested that it might have been written by an intern a couple years ago.”

These are the frustrating security issues that challenge even the most experienced and educated engineering teams. After some time, one of their engineers anted up, said Schuh. They pushed out a fix to an old program, but they were still getting those elevated errors.

“Only the paying customers got the updates,” Schuh said. “The non-paying customers get the broken TLS. If you are no longer a paying customer but you have this thing installed,” Schuh mused to make the point that these security challenges are issues that can potentially compromise security when dealing with the good guys.

“They all fixed the outdated and vulnerable code,” said Schuh, but more to the point, “Even the best behaved products have no support for enhanced nets like HPKP. They are just expected to provide grossly inferior security.”

In addition to the binary injections that eat up way too much of Schuh’s time, what is incredibly frustrating is that they have teams planning out these important security features. In reality, they can expect a year for any new significant mitigation.

Followers on Twitter will also find Schuh tweeting about the reality that third-party capabilities are invasive and fundamentally unsafe. “We are trying to work around these problems, but there’s no way that AV provider X is investing as much in securing themselves,” Schuh said.

The solution? It’s not clear that there is one, but Schuh said, “They need to stop doing this. If it doesn’t start soon, we will have to take creative measures to stop.”

Of course that begged the question from an audience member, “What creative measures?”

“That’s where it gets really interesting. Windows 10 added mitigations for blocking third party AV injection. Edge is currently using some of those, and crash rates have dramatically dropped,” Schuh said.

There is also aggressive stuff, like going all the way down into the kernel, Schuh added.”As much as I complain about AVs, we haven’t had significant issues with Windows Defender. It’s quite robust. It’s interesting because it’s one you don’t have to pay for.”

Because Microsoft isn’t trying to rush it’s product to market, they can care more about the features in their products. “If I were a CISO deploying an AV program, I’d go with Microsoft Defender,” Schuh said.

But as a security engineer, he is trying to work with antivirus to find ways to work together that benefit the entire ecosystem.

Kaspersky Helped NSA Catch Spyware Leaker (Report)

/0 Comments/in /by

Here’s an ironic twist: Kaspersky Lab, the antivirus firm banned from U.S. government computersover suspected Russian intelligence ties, helped the National Security Agency catch a contractor accused of leaking U.S. secrets, a new report says.

Writing for Politico, veteran cybersecurity report Kim Zetter says sources told her that Kaspersky researchers in 2016 gave the NSA screenshots of Twitter direct messages in which alleged leaker Harold T. Martin III tried to contact Kaspersky researchers.

The Kaspersky team also gave the NSA Martin’s name and location, which the researchers had quickly figured out even though he apparently tried to disguise his identity by using a pseudonymous Twitter account. Five days later, Martin was arrested at his home in suburban Maryland.

MORE: Kaspersky Russian Spying Rumors: Should You Use This Antivirus?

Zetter says that on Aug. 13, 2016, Martin tried to reach out to a Kaspersky researcher using a Twitter account named “@hal_99999999”. (The account is still up but its Tweets are protected.)

He apparently indicated that he wanted to communicate with “Yevgeny” — presumably Kaspersky Lab chief Eugene Kaspersky — and that whatever he wanted to talk about had a “shelf life” of “three weeks.”

Those two DMs were mentioned in a December court filing that Politico uncovered last week, although information about to whom the messages were sent was redacted.

Thirty minutes after Martin sent those two DMs, the Shadow Brokers, a still-unknown group thought to be tied to Russian intelligence, starting putting stolen NSA malware up for auction online.

However, Zetter said, the Kaspersky researcher Martin tried to contact was on vacation and didn’t see the DMs until Aug. 16. He then tried to respond to Martin, but Martin blocked him on Twitter.

On Aug. 18, Martin allegedly tried to reach a second Kaspersky researcher via Twitter direct messages, saying he was “still considering it.” Asked by the second researcher what Martin was considering, he said “what we are all fighting for” and referred to a Jason Bourne movie and the movie “Inception.”

Kaspersky tipped off the NSA

Instead of continuing the conversation, the Kaspersky team did some digging and found the same Twitter username tied to a personal ad on an S&M website, along with a personal photo and a location. They also found a LinkedIn profile for Martin.

On Aug. 22, a Kaspersky staffer sent the information to someone he knew in the NSA. On Aug. 27, the FBI raided Martin’s home and arrested him.

Martin is accused of stealing 50 terabytes’ worth of secrets, including spyware and hacking tools used in intelligence-gathering information, from the NSA and other government agencies over 20 years.

Martin, a contractor employed by Booz Allen Hamilton, the same firm that employed NSA leaker Edward Snowden, contends that he merely took the data home to work on it during off hours. But even that would be a major security violation.

The government seeks to prove that Martin willingly or unwillingly passed along the NSA data to the Shadow Brokers, who tried to sell the purported NSA tools online from August 2016 to April 2017 but eventually started giving it away.

Possible ties to WannaCry

Some of the NSA hacking tools uncovered by the Shadow Brokers were used in the WannaCry ransomware outbreak in May 2017, which has been blamed on North Korea. In June 2017, some of the same tools were used in the NotPetya ransomware attacks, which began in Ukraine, spread across Europe and have since been blamed on Russia.

However, no one has been able to prove a definitive connection between Martin and the Shadow Brokers.

It’s also possible that the Shadow Brokers got the information from Nghia Hoang Pho, a second NSA contractor who also took large amounts of data home.

Pho had Kaspersky antivirus software installed on his home computer, and a story in The Wall Street Journal in October 2017, citing anonymous sources, alleged that the Kaspersky software was used to steal the NSA secrets from his machine.

Kaspersky Lab retorted by saying that Pho’s computer appeared to be infected with unknown malware, and that the malware was uploaded to Kaspersky’s servers as part of normal procedures for analysis. (Most antivirus software routinely does this.)

To make things even more complicated, The New York Times said that the NSA knew this to be the case because it had been given evidence by Israeli spies who had broken into Kaspersky Lab servers.

Pho pleaded guilty to taking secret data home and was sentenced to five and a half years in prison in September 2018.

Martin plans to plead guilty Jan. 22 to a single count of willful retention of national defense information, according to court filings. He still faces trial on 19 other counts. Each of the 20 counts carries a maximum penalty of 10 years in prison.