Researchers from German security firm Kromtech Security allege that until recently, MBM Company was improperly handling customer details. On February 6, they identified an unsecured Amazon S3 storage bucket, containing a MSSQL database backup file.

According to Kromtech Security’s head of communications, Bob Diachenko, further analysis of the file revealed it held the personal information for over 1.3 million people. This includes addresses, zip-codes, e-mail addresses, and IP addresses. He also claims the database contained plaintext passwords — which is a big security ‘no-no.’

In a press release, Diachenko said: “Passwords were stored in the plain text, which is great negligence [sic], taking into account the problem with many users re-using passwords for multiple accounts, including email accounts.”

The backup file was named ‘MBMWEB_backup_2018_01_13_003008_2864410.bak,’ which suggests the file was created on January 13, 2018. It’s believed to contain current information about the company’s customers. Records held in the database have dates reaching as far back as 2000. The latest records are from the start of this year.

Other records held in the database include internal mailing lists, promo-codes, and item orders, which leads Kromtech to believe that this could be the primary customer database for the company.

Source: Jewelry site accidentally leaks personal details (and plaintext passwords!) of 1.3M users

Who still stores user credentials in plain text?!

More than 1,000 security employees in as many as 17 countries participated in the survey. Most said the biggest hurdle to mounting an adequate defense against cyber threats today is the lack of skilled personnel. (Poor security awareness and an inability to sift through enormous piles of data tied for second place.)

The survey, which included 1,200 respondents working in 19 industries, was compiled by CyberEdge Group, a research and marketing firm serving high-tech vendors and service providers.

More interesting is the feedback collected from respondents who said their organizations were infected with ransomware in the last year. (Ransomware tied with phishing attacks for the second most crucial security concern; the first, as per usual, is malware.)

Slightly more than half of the respondents’ organizations that actually paid a ransom to recover stolen or encrypted data—either in Bitcoin or some other anonymous currency—were unable to recover their data. In total, the report says, a little under 39 percent of the organizations resolved to pay.

“Flip a coin once to determine whether your organization will be affected by ransomware,” CyberEdge suggests. “If it will be, flip it again to determine whether paying the ransom will actually get your data back.”

Source: Major Survey of IT Pros Reveals Why Everything Gets Hacked All the Damn Time

On a Samba 4 AD DC the LDAP server in all versions of Samba from
4.0.0 onwards incorrectly validates permissions to modify passwords
over LDAP allowing authenticated users to change any other users'
passwords, including administrative users and privileged service
accounts (eg Domain Controllers).

The LDAP server incorrectly validates certain LDAP password
modifications against the "Change Password" privilege, but then
performs a password reset operation.

Source: Samba – Security Announcement Archive

The hardcoded password issue affects Cisco’s Prime Collaboration Provisioning (PCP), a software application that can be used for the remote installation and maintenance of other Cisco voice and video products. Cisco PCP is often installed on Linux servers.

Cisco says that an attacker could exploit this vulnerability (CVE-2018-0141) by connecting to the affected system via Secure Shell (SSH) using the hardcoded password.
Flaw considered critical despite “local” attack vector

The flaw can be exploited only by local attackers, and it also grants access to a low-privileged user account. In spite of this, Cisco has classified the issue as “critical.”
Although this vulnerability has a Common Vulnerability Scoring System (CVSS) Base score of 5.9, which is normally assigned a Security Impact Rating (SIR) of Medium, there are extenuating circumstances that allow an attacker to elevate privileges to root. For these reasons, the SIR has been set to Critical.

The reasons are that an attacker can infect another device on the same network and use it as a proxy for his SSH connection to the vulnerable Cisco PCP instance, allowing for remote, over-the-Internet exploitation.

Source: Hardcoded Password Found in Cisco Software

Highly painful

Tal Be’ery and Amichai Shulman found that the always-listening Cortana agent responds to some voice commands even when computers are asleep and locked, allowing someone with physical access to plug a USB with a network adapter into the computer, then verbally instruct Cortana to launch the computer’s browser and go to a web address that does not use https—that is, a web address that does not encrypt traffic between a user’s machine and the website. The attacker’s malicious network adapter then intercepts the web session to send the computer to a malicious site instead, where malware downloads to the machine, all while the computer owner believes his or her machine is protected.

Source: Researchers Bypassed Windows Password Locks With Cortana Voice Commands – Motherboard

When the mysterious entity known as the “Shadow Brokers” released a tranche of stolen NSA hacking tools to the internet a year ago, most experts who studied the material homed in on the most potent tools, so-called zero-day exploits that could be used to install malware and take over machines. But a group of Hungarian security researchers spotted something else in the data, a collection of scripts and scanning tools that the National Security Agency uses to detect other nation-state hackers on the machines it infects.

It turns out those scripts and tools are just as interesting as the exploits. They show that in 2013 — the year the NSA tools were believed to have been stolen by the Shadow Brokers — the agency was tracking at least 45 different nation-state operations, known in the security community as advanced persistent threats, or APTs. Some of these appear to be operations known by the broader security community — but some may be threat actors and operations currently unknown to researchers.

The scripts and scanning tools dumped by Shadow Brokers and studied by the Hungarians were created by an NSA team known as Territorial Dispute, or TeDi. Intelligence sources told The Intercept that the NSA established the team after hackers, believed to be from China, stole designs for the military’s Joint Strike Fighter plane, along with other sensitive data, from U.S. defense contractors in 2007; the team was supposed to detect and counter sophisticated nation-state attackers more quickly, when they first began to emerge online.

“As opposed to the U.S. only finding out in five years that everything was stolen, their goal was to try to figure out when it was being stolen in real time,” one intelligence source told The Intercept.

But their mission evolved to also provide situational awareness for NSA hackers to help them know when other nation-state actors are in machines that they’re trying to hack.

Source: Leaked Files Show How the NSA Tracks Other Countries’ Hackers

Earlier this month, we published our first article of our Internet of Things series, “IoD – Internet of Dildos“. As promised, we expanded our research and would like to present you with the first results of our “IoB – Internet of Babies” research.

Baby monitors serve an important purpose in securing and monitoring our loved ones. Unfortunately, the investigated device “Mi-Cam” from miSafes (and potentially further devices) is affected by a number of critical security vulnerabilities which raise serious security and privacy concerns. An attacker is able to access and interact with arbitrary video baby monitors and hijack other user accounts. Based on observed user identifier values extracted from the cloud API and Google Play store data, an estimated total number over 52000 user accounts and video baby monitors are affected (implying a 1:1 distribution of user accounts to video baby monitors). Even worse, neither the vendor nor the CNCERT/CC could be reached for the coordination for our responsible disclosure process. Hence the issues are (up until the publication of this article) not patched and our recommendation is to keep the video baby monitors offline until further notice.

Source: Internet of Babies – When baby monitors fail to be smart | SEC Consult

IBM X-Force Incident Response and Intelligence Services (IRIS) assesses that threat groups of likely Nigerian origin are engaged in a widespread credential harvesting, phishing and social engineering campaign designed to steal financial assets. Beginning in the fall of 2017, X-Force IRIS experienced a significant increase in clients reporting instances of fraud or attempted fraud via wire transfer payments. These threat groups successfully used business email compromise (BEC) scams to convince accounts payable personnel at some Fortune 500 companies to initiate fraudulent wire transfers into attacker-controlled accounts, resulting in the theft of millions of dollars.
[…]
Business email compromise scams involve taking over or impersonating a trusted user’s email account to target companies that conduct international wire transfers with the goal of diverting payments to an attacker-controlled account.

These attacks are almost entirely based on phishing and social engineering, and are thus attractive to cybercriminals due to their relative simplicity. In most cases, BEC scams involve little to no technical knowledge, malware or special tools.

A recent report by Trend Micro predicted that BEC attacks will comprise over $9 billion in losses in 2018, up from $5.3 billion at the end of 2016. According to the FBI, BEC scams have been reported in every U.S. state and across 131 nations, and have resulted in high-profile arrests.
[…]
The following tactics were common to the attacks examined by X-Force IRIS researchers:

Phishing emails were sent either directly from or spoofed to appear to be from known contacts in the target employee’s address book.

Attackers mimicked previous conversations or inserted themselves into current conversations between business email users.

Attackers masqueraded as a known contact from a known vendor or associated company and requested that wire payments be sent to an “updated” bank account number or beneficiary.

Attackers created mail filters to ensure that communications were conducted only between the attacker and victim and, in some cases, to monitor a compromised user’s inbox.

In cases in which additional approval or paperwork was needed, the attackers found and filled out appropriate forms and spoofed supervisor emails to get required approvals.

Without the use of any malware, and with legitimate stakeholders performing the actual transactions, traditional detection tools and spam filters failed to identify evidence of a compromise.
[…]
The BEC scams identified by IBM incident responders consist of two separate but connected goals. The first is to harvest mass amounts of business user credentials, and the second is to use these credentials to impersonate their rightful owners and ultimately trick employees into diverting fund transfers to bank accounts the attackers control.

To achieve the first goal, the attackers used credential sets they had already compromised to send a mass phishing email to the user’s internal and external contacts. The phish was often sent to several hundred contacts at a time and was engineered to look legitimate to the spammed contacts.
[…]
To accomplish the second goal, the attackers focused on stolen credentials from companies that use single-factor authentication and an email web portal. For example, companies that only require a username and password for employees to access their Microsoft Office 365 accounts were compromised. Using email web portals ensured the attackers’ ability to complete these attacks online and without compromising the victim’s corporate network. The attackers specifically targeted personnel involved in the organization’s accounts payable departments to ensure that the victim had access to the company’s bank accounts.

Before engaging with any employee, the attackers likely undertook a reconnaissance phase, looking through activity within the user’s email folders in search of subjects and opportunities to exploit and, eventually, creating or inserting themselves into relevant conversations.
[…]
Since the attackers conducted correspondence from a victim user’s email, they created email rules to keep the victim unaware of the compromise. In cases in which the attackers impersonated the user, the attackers auto-deleted all emails delivered from within the user’s company. They likely did this to prevent the user from seeing any fraudulent correspondence or unusual messages in his or her inbox. Additionally, the attacker auto-forwarded email responses to a different email to read the responses without logging in to the compromised account.

Separately, when attackers used stolen credentials to send mass phishing emails, they simultaneously set up an email rule to filter all responses to the phish, undelivered messages, or messages containing words such as “hacked” or “email” to the user’s RSS feeds folder and marked them as read.

Source: IBM X-Force IRIS Uncovers Active Business Email Compromise Campaign Targeting Fortune 500 Companies

Users of uTorrent should grab the latest versions of the popular torrenting tools: serious security bugs, which malicious websites can exploit to commandeer PCs, were squashed this week in the software.

If you’re running a vulnerable Windows build of the pira, er, file-sharing applications while browsing the web, devious JavaScript code on an evil site can connect to your uTorrent app and leverage it to potentially rifle through your downloaded files or run malware.

The flaws were found by Googler Tavis Ormandy: he spotted and reported the vulnerabilities in BitTorrent’s uTorrent Classic and uTorrent Web apps in early December. This month, BitTorrent began emitting new versions of these products for people to install by hand or via the built-in update mechanism. These corrected builds were offered first as beta releases, and in the coming days will be issued as official updates, we’re told.

Look out for version 3.5.3.44352 or higher of the desktop flavor, or version 0.12.0.502 and higher of the Spotify-styled Web build.

The latest classic desktop app looks to be secured. However, Ormandy was skeptical the uTorrent Web client had been fully fixed, believing the software to still be vulnerable to attack. On Wednesday this week, he went public with his findings since he had, by this point, given BitTorrent three months to address their coding cockup.

“The vulnerability is now public because a patch is available, and BitTorrent have already exhausted their 90 days anyway,” Ormandy wrote in his advisory.

“I see no other option for affected users but to stop using uTorrent Web and contact BitTorrent and request a comprehensive patch. We’ve done all we can to give BitTorrent adequate time, information and feedback, and the issue remains unsolved.”

Source: uTorrent file-swappers urged to upgrade after PC hijack flaws fixed • The Register

When a horny netizen logs into their Tinder profile using their phone number as a username, the hookup app relies on the Facebook-built AccountKit.com to check the person is legit owner of that account.

Facebook’s system texts a confirmation code to the punter, they receive it on their phone, and type the code into Account Kit’s website. Account Kit verifies the code is correct, and if it is, issues Tinder an authorization token, allowing the login attempt to complete.

It’s a simple, easy, and supposedly secure password-less system: your Tinder account is linked to your phone number, and as long as you can receive texts to that number, you can log into your Tinder account.

However, Appsecure founder Anand Prakash discovered Account Kit didn’t check whether the confirmation code was correct when the toolkit’s software interface – its API – was used in a particular way. Supplying a phone number as a “new_phone_number” parameter in an API call over HTTP skipped the verification code check, and the kit returned a valid “aks” authorization token.

Thus, you could supply anyone’s phone number to Account Kit, and it would return a legit “aks” access token as a cookie in the API’s HTTP response. That’s not great.
Prepare for trouble, and make it double

Now to Tinder. The app’s developers forgot to check the client ID number in the login token from Account Kit, meaning it would accept the aforementioned “aks” cookie as a legit token. Thus it was possible to create an authorization token belonging to a stranger from Account Kit, and then send it to Tinder’s app to log in as that person.

All you’d need is a victim’s phone number, and bam, you’re in their Tinder profile, reading their saucy messages between hookups or discovering how much of an unloved sad sack they were, and setting up dates.

Source: Hey, you. App dev. You like secure software? Let’s learn from Tinder, Facebook’s blunders • The Register

In late July, Snap’s director of engineering emailed the company’s team in response to an unfolding privacy threat. A government official from Dorset in the United Kingdom had provided Snap with information about a recent attack on the company’s users: a publicly available list, embedded in a phishing website named klkviral.org, that listed 55,851 Snapchat accounts, along with their usernames and passwords.

The attack appeared to be connected to a previous incident that the company believed to have been coordinated from the Dominican Republic, according to emails obtained by The Verge. Not all of the account credentials were valid, and Snap had reset the majority of the accounts following the initial attack. But for some period of time, thousands of Snapchat account credentials were available on a public website.
[…]
Snap says it uses machine-learning techniques to look for suspicious links being sent within the app, and proactively blocks thousands of suspicious URLs per year. Users who were affected by the July attack were notified that their passwords had been reset via an email from the company.

In the July case, the company noticed that a single device had been logging into a large number of accounts and began flagging it as suspicious. But thousands of accounts had already been compromised.
[…]
It is unclear how long the attack went on, or when the attack Dominican Republic attack had begun. But by the morning of July 24th, Google had blocked klkviral.org from appearing in search results and flagged it as a malicious site for people trying to visit it. (Snap works with Google and other tech companies to maintain a list of known malicious sites.)

The accounts compromised in July represent a tiny fraction of Snap’s 187 million active users. But the incident illustrates how sites set up to mimic login screens can do an outsized amount of damage — and how companies must increasingly rely on machine-learning techniques to identify them in real time.

Source: A phishing attack scored credentials for more than 50,000 Snapchat users – The Verge

The issue, which may have persisted for months or perhaps even longer, was flagged by Bay Area software engineer Gabriel Lewi, who tweeted about it earlier this week. Prominent technology critic and sociologist Zeynep Tufekci then used the situation as a springboard to criticize Facebook’s alleged unethical behavior, thinking the 2FA notifications may have been an intentional method for Facebook to boost user engagement.

“I am sorry for any inconvenience these messages might have caused. We are working to ensure that people who sign up for two-factor authentication won’t receive non-security-related notifications from us unless they specifically choose to receive them, and the same will be true for those who signed up in the past,” Stamos writes in the blog post. “We expect to have the fixes in place in the coming days. To reiterate, this was not an intentional decision; this was a bug.”

Source: Facebook admits SMS notifications sent using two-factor number was caused by bug – The Verge

A bit worrying when your two factor security system starts acting up on its own and sending messages randomly.

“We always talk about the ease of use, and not impacting user experience, etc, but it turns out that when it comes to their financial accounts…people actually would go the extra mile and will use extra security,” Kessem said. Whether it’s using two factor authentication, an SMS message on top of their password, or any other additional step for extra protection, people still want to use it. Some 74% of respondents said that they would use extra security when it comes to those accounts, she said.

Based on findings in the report, people are aware of the data breaches that are happening to companies and consumers alike—with the US leading in terms of people who are aware of data breaches.

“They understand that there’s something they can do to prevent it, and they need to secure their accounts,” she said. “We figure that could be a reason, especially when it comes to where their money lays. They want to make sure that’s more secure.”

Source: Consumers prefer security over convenience for the first time ever, IBM Security report finds – TechRepublic

It appears that the over-the-air update to the UConnect system went out on Friday, and many, many owners have not had working center-stack systems since then. Many of these vehicles are nearly brand-new, which makes the issue even more maddening.
[…]
The failure of the UConnect system isn’t just limited to not having a radio; like almost all modern automotive infotainment systems, the center screen, controlled by UConnect, handles things like rear-view camera systems, navigation, cell phone connection systems like Apple CarPlay or Android Auto, some climate control functions, many system and user settings, and more.

Source: Fiat Chrysler Pushed A UConnect Update That Causes Constant Reboots With No Announced Fix

Ouch

IBM iNotes SUService can be misguided into running malicious code from a DLL masquerading as a windows DLL in the temp directory. IBM Plans to address this vulnerability by providing a fix.

Source: IBM Security Bulletin: IBM Notes Privilege escalation in IBM Notes Smart Update Service – United States

The US state of Washington says a miscreant was able to access the system it uses to track the manufacturing and sale of marijuana.

The Evergreen State’s Liquor and Cannabis Board – a job that sounds way cooler than it actually is – yesterday admitted that last weekend someone was able to exploit a vulnerability in one of its machines to access Leaf Data Systems, which Washington uses to keep records on the movement of Mary Jane.

Described as a “seed to sale” tracing process, the Leaf system is intended as a way for the board to keep track on the movement of marijuana from growers and suppliers. Growers and merchants upload information including planned shipments and movements of crops between various points in the “chain of custody” as the pot moves from farms to wholesalers and eventually shops.

Earlier this week, Washington was hit with a pot shortage after the Leaf Data System went down with what was at the time thought to be a “glitch” that had left shops unable to take in new shipments.

On Thursday, the board revealed that the “glitch” was in fact the aftermath of a hacker intrusion, and that someone had been able to obtain a copy of the database that tracked shipments.

“There are indications an intruder downloaded a copy of the traceability database and took action that caused issues with inventory transfers for some users,” the board said.

“We believe this was the root cause of the transfer/manifest issue experienced between Saturday and Monday.”

The stolen database contained information on shipments set to take place between February 1 and 4 of 2018, including route manifest information, vehicle identification and, license plate number. Only the manifest data is considered sensitive, as the other records are public information.

Source: You dopes! US state’s pot dealer database pwned after security goes up in smoke • The Register

I am very curious if any dope trucks got robbed in that period.

The individual identifying himself as Jim Teeuwen, who maintained GitHub repository for a tool called go-bindata for embedded data in Go binaries, recently deleted his GitHub account, taking with it a resource that other Go developers had included in their projects.

The incident echoes the more widely noted 2016 disappearance of around 250 modules maintained by developer Azer Koçulu from the NPM repository. The deletion of one of these modules, left-pad, broke thousands of Node.js packages that incorporated it and prompted NPM to take the unprecedented step of restoring or “un-un-publishing” the code.

Earlier this week, an unidentified developer, whose Go project stopped functioning as a result of the closure of the jteeuwen account, opened a new GitHub account under the abandoned name and repopulated it with a forked version of the go-bindata package as a workaround to re-enable the broken project.

In a post on that account, Franklin Yu, a Boston-area software engineer in the US, said he was a friend of the person who recreated the account and explained that the repo had been resurrected to fix a private project.

“The current owner had no way to directly redirect the repo, so he made such work-around so that he could safely go home without being blamed by his supervisor,” he explained. “And of course, hoped this would also save someone else trapped in similar situation.”
[…]
The security implications of allowing reuse of abandoned names are particularly evident in the domain industry, where expired domains regularly get re-registered by spammers hoping to benefit from whatever trust and traffic the previous owner had accrued.

Developers themselves bear some measure of responsibility for relying on code they can’t control and can’t verify.

But Donat, in a phone interview with The Register, suggested that’s not realistic. “You could argue it’s all down to the developer,” he said. “But the fact of the matter is this is how GitHub is now being used, as a package repository, whether it’s meant to be or not.”

Donat argued that GitHub should address the issue, noting that it would not be difficult to revive an abandoned account name and use it to distribute malware.

Source: You can resurrect any deleted GitHub account name. And this is why we have trust issues • The Register

Personally I don’t think the onus here is on GitHub. If you delete a username, it becomes free. The problem is with stupid developers who trust an account, instead of downloading the software they depend on and packaging it with their product. We should know by now that anything on the cloud won’t stay there forever.

Some 17 Netgear routers have a remote authentication bypass, meaning malware or miscreants on your network, or able to reach the device’s web-based configuration interface from the internet, can gain control without having to provide a password. Just stick &genie=1 in the URL, and bingo.

That’s pretty bad news for any vulnerable gateways with remote configuration access enabled, as anyone on the internet can exploit the cockup to take over the router, change its DNS settings, redirect browsers to malicious sites, and so on.

Another 17 Netgear routers – with some crossover with the above issue – have a similar bug, in that the genie_restoring.cgi script, provided by the box’s built-in web server, can be abused to extract files and passwords from its filesystem in flash storage – it can even be used to pull files from USB sticks plugged into the router.

Other models have less severe problems that still need patching just in case. For example, after pressing the Wi-Fi Protected Setup button, six of Netgear’s routers open up a two-minute window during which an attacker can potentially execute arbitrary code on the router as root over the air.

Source: Wish you could log into someone’s Netgear box without a password? Summon a &genie=1 • The Register

We describe PinMe, a novel user-location mechanism that exploits non-sensory/sensory data stored on the smartphone, e.g., the environment’s air pressure, along with publicly-available auxiliary information, e.g., elevation maps, to estimate the user’s location when all location services, e.g., GPS, are turned off.

Source: [1802.01468] PinMe: Tracking a Smartphone User around the World

“The idea of a rogue domain controller is not new and has been mentioned multiple times in previous security publications but required invasive techniques (like installing a virtual machine with Windows Server) and to log on a regular domain controller (DC) to promote the VM into a DC for the targeted domain.”That’s easily spotted, so Delsalle wrote that the attack described by Delpy and Le Toux has to “modify the targeted AD infrastructure database to authorise the rogue server to be part of the replication process.”

Source: Maybe you should’ve stuck with NetWare: Hijackers can bypass Active Directory controls • The Register

A vulnerability has been identified in Lenovo Fingerprint Manager Pro. Sensitive data stored by Lenovo Fingerprint Manager Pro, including users’ Windows logon credentials, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in.

Source: Lenovo Fingerprint Manager Pro for Windows 7, 8, and 8.1 only (not 10) Insecure Credential Storage

Strava which markets itself as a “social-networking app for athletes” publicly made available the global heat map, showing the location of all the rides, runs, swims, and downhills taken by its users, as collected by their smartphones and wearable devices like Fitbit.

Since Strava has been designed to track users’ routes and locations, IUCA analyst Nathan Ruser revealed that the app might have unintentionally mapped out the location of some of the military forces around the world, especially some secret ones from the United States.

With a total of one billion activities logged on the Strava’s activity map, it is a whole lot of useful data from all over the world.

Although Strava’s publicly available activity map was live as of November 2017, Ruser recently noticed that the map includes the fitness routes of army soldiers and agents in secret base locations, including U.S. military bases in Afghanistan and Syria, a suspected CIA base in Somalia and even Area 51.

Source: Heat Map Released by Fitness Tracker Reveals Location of Secret Military Bases

The Cozy Bear hackers are in a space in a university building near the Red Square. The group’s composition varies, usually about ten people are active. The entrance is in a curved hallway. A security camera records who enters and who exits the room. The AIVD hackers manage to gain access to that camera. Not only can the intelligence service now see what the Russians are doing, they can also see who’s doing it. Pictures are taken of every visitor. In Zoetermeer, these pictures are analyzed and compared to known Russian spies.

The Dutch access to the Russian hackers’ network soon pays off. In November, the Russians prepare for an attack on one of their prime targets: the American State Department. By now, they’ve obtained e-mail addresses and the login credentials of several civil servants. They manage to enter the non-classified part of the computer network.

The AIVD and her military counterpart MIVD inform the NSA-liaison at the American embassy in The Hague. He immediately alerts the different American intelligence services.

What follows is a rare battle between the attackers, who are attempting to further infiltrate the State Department, and its defenders, FBI and NSA teams – with clues and intelligence provided by the Dutch. This battle lasts 24 hours, according to American media.

The Russians are extremely aggressive but do not know they’re being spied on. Thanks to the Dutch spies, the NSA and FBI are able to counter the enemy with enormous speed. The Dutch intel is so crucial that the NSA opens a direct line with Zoetermeer, to get the information to the United States as soon as possible.
[…]
President elect Donald Trump categorically refuses to explicitly acknowledge the Russian interference. It would tarnish the gleam of his electoral victory. He has also frequently praised Russia, and president Putin in particular. This is one of the reasons the American intelligence services eagerly leak information: to prove that the Russians did in fact interfere with the elections. And that is why intelligence services have told American media about the amazing access of a ‘western ally’.

This has led to anger in Zoetermeer and The Hague. Some Dutchmen even feel betrayed. It’s absolutely not done to reveal the methods of a friendly intelligence service, especially if you’re benefiting from their intelligence. But no matter how vehemently the heads of the AIVD and MIVD express their displeasure, they don’t feel understood by the Americans. It’s made the AIVD and MIVD a lot more cautious when it comes to sharing intelligence. They’ve become increasingly suspicious since Trump was elected president.

The AIVD hackers are no longer in Cozy Bear’s computer network. The Dutch espionage lasted between 1 and 2,5 years. Hacker groups frequently change their methods and even a different firewall can cut off access.

Source: Dutch agencies provide crucial intel about Russia’s interference in US-elections – Tech – Voor nieuws, achtergronden en columns