Infosec In Brief The recent indictment of a massive SIM-swapping ring may mean convicted crypto conman Sam Bankman-Fried is innocent of at least one allegation still hanging over his head: The theft of more than $400 million in crypto hacked from wallets belonging to his crypto firm, FTX, just before it declared bankruptcy.

As reported earlier this week, a trio of individuals, led by Chicago resident Robert Powell, were indicted [PDF] on charges of committing SIM swapping attacks on over 50 victims in 13 US states from 2021 until 2023, stealing hundreds of millions of dollars in the process.

The trio's biggest haul was the theft of more than $400 million in cryptocurrency from an unnamed "Victim Company-1" on November 11, 2022 - the same day that FTX declared bankruptcy and an unknown attacker stole roughly $415m in crypto from the firm.

Brian Krebs was the first to make the connection between the indictment of the Powell gang and the FTX theft, and blockchain analytics firm Elliptic backed him up, noting "we are not aware of any other thefts from crypto businesses on this scale, on these dates."

"It therefore appears likely that FTX is the 'Victim Company-1' named in the indictment," Elliptic concluded, while admitting that it's not clear if Powell and his co-conspirators stole the money themselves, or facilitated the theft on behalf of another party.

Bloomberg, citing unnamed sources familiar with the case, said it's received confirmation that Victim Company-1 is, indeed, FTX.

Powell was reportedly arrested in Chicago last week and is being held without bond pending transfer to Washington, DC to face charges. His co-conspirators, Carter Rohn of Indianapolis, Indiana, and Emily Hernandez of Colorado Springs, Colorado, have also been apprehended.

While SBF might be off the hook for this element of his mismanagement of FTX, that won’t help him to walk free as was convicted on seven charges in October 2023 and faces up to 110 years in prison when sentenced next month.

Qualys spots more nasty glibc vulns

Security researchers at Qualys have discovered several vulnerabilities in the GNU C Library - aka glibc - a fundamental part of many Linux systems.

The issues were identified in glibc's syslog and qsort functions, and while an attacker needs to be local to execute the vulnerabilities, the result could be root access for an unprivileged user on Linux distributions including Debian, Fedora and Ubuntu.

The first, CVE-2023-6246 (CVSS 7.8), is a heap-based buffer overflow found in __vsyslog_internal() and affects both syslog that was inadvertently introduced in glibc 2.37 way back in 2022, and back-ported to 2.36 after that.

While analyzing that vulnerability, Qualys researchers spotted two additional minor vulnerabilities, plus a memory corruption issue in qsort(). Qualys warned the bug affects all versions of glibc going back to 1992, but the glibc team believes the issue lies in calling applications that pass bad data, and thus any CVE issued should be on those apps, not glibc.

"Even the most foundational and trusted components are not immune to flaws," Qualys said of the discovery, which isn't the first it's found in glibc lately.

DraftKings hacker sentenced, co-conspirators arrested

The Wisconsin teenager behind the theft of $600,000 from users of sports betting website DraftKings has been sentenced to 18 months in prison.

Along with his time in the clink, 19 year old Joseph Garrison, who pled guilty to one of six charges on which he was indicted, will have to submit to three years of supervised release and pay more than $1.5 million in forfeiture and restitution costs to victims, the US Department of Justice announced.

Garrison, who committed his crimes in late 2022, relied on credential stuffing to break into some 1,600 accounts. It's not clear where he acquired the reused username and password combinations used to break into DraftKings, though such information is easily purchased on the dark web.

The US Attorney's Office for the Southern District of New York announced two additional indictments and arrests in the DraftKings case earlier this week. ®

https://www.theregister.com//2024/02/05/sbf_off_the_hook_for/