vx-underground@vxunderground
A person operating under the moniker "mizanthropiaz" compromised the Brazilian governments Emergency Alert System in Sao Paulo, Rio, and Brasilia. The Threat Actor sent a notification to hundreds of thousands of people which read "misanthropi4".
More details have emerged regarding the compromise, and truthfully, it is terrifying. The Brazilian government is extremely secure and it is quite remarkable any living person could have gotten past their enhanced security measures.
"mizanthropiaz" found a username and password login to the Brazilian governments Emergency Alert System. The username and password was present because an employee working there accidentally infected themselves with malware in 2016.
The employee there did not change the password in over 10 years.
But, after the employee accidentally infected their computer with malware, did they change their password? No.
But, did the Brazilian government do IP address blacklisting which would prevent unauthorized devices from accessing the Emergency Alert System? No.
But, did the Brazilian government require a VPN connection to authenticate to the Emergency Alert System because it's a government network? No.
But, did the Brazilian government require MFA (e-mail, text, or Authenticator Code)? No.
But, did the Brazilian government send notifications on new devices connecting? No.
But, did the Brazilian government issue alerts on password changes or password change requests? No.
But, did the Brazilian government require e-mail verification prior to changing or resetting passwords? No.
But, did the Brazilian government have rate-limiting to prevent brute-force attacks? No.
But, did the Brazilian government introduce a CAPTCHA to prevent brute-force attacks? Yes, but it was 2+2 and it never changed. It always asked "2+2="
But, did the Brazilian government require password complexity to make brute-forcing difficult? No, the password to the Brazilian government employee was the same as their username.
