‘Vaza Jato’ hacker exploited CNJ flaws; understand – 08/15/2023 – Tech

Known as the “Vaza Jato” hacker, programmer Walter Delgatti Neto exploited a series of cybersecurity breaches of the CNJ (National Council of Justice) and a bug on the GitHub platform to access the BNMP (National Bank of Arrest Warrants). That’s when he created a false warrant against the minister of the STF (Federal Supreme Court) Alexandre de Moraes.

Delgatti’s testimony on August 2 suggests primary flaws in the CNJ’s cybersecurity protocols between September 2022 and January of this year, when the investigated entered falsified documents into the system.

The programmer cites passwords like “123change”, repeated access information and lack of two-factor authentication. Anyone should avoid these mistakes to protect personal data on the internet.

In a decision by the STF, Moraes assesses that Delgatti’s report is in line with the expertise and investigations of the Federal Police.

According to Delgatti, at least one of the systems has not been updated for two years. A survey by the cybersecurity company Kaspersky shows that 53.6% of cyberattacks against companies and organizations began with exploiting vulnerabilities in exposed or outdated programs.

From these gaps, the “Vaza Jato” hacker says that he followed conversations with CNJ technical servers in an internal channel for three months and accessed a robot capable of editing the council’s codes. This allowed Delgatti to analyze “line by line” the justice systems.

From there, he got the login and password of a CNJ software engineer into a management system. The same keywords worked on the board’s intranet, where there was also no two-factor verification.

This gave Delgatti access to all database passwords — some of the passwords were unencrypted.

The attacker then gained access to the account of IT consultant Elenilson Pedro Chiarapa in the Access Control System, which accredits permissions to other systems. Chiarapa works at UNDP (United Nations Development Program), which maintains technical cooperation agreements with the CNJ to develop and update digital systems such as the BNMP.

Delgatti, finally, created, under the name of an orange, a false account with the permission of a magistrate in the BNMP and in Sisbajud – which sends court orders.

The CNJ found the arrest warrant against Moraes and 11 other release permits in favor of Bolsonarist militants on January 4. “The servers were too confident that the system would not be invaded”, said Delgatti, in testimony.

These errors point to non-compliance with the National Cyber ​​Security Strategy of the Judiciary, established by the CNJ itself in 2021. The statute determines evaluations and tests at least every six months and the formulation and execution of security protocols in each body of the Judiciary.

After the episode, the CNJ revoked access passwords to all systems and instituted a new security standard.

In a note sent to Sheet, the CNJ says it has implemented all necessary measures to strengthen its cyber environment. For example, it revised its password policy and expanded two-factor authentication, among other measures.

ATTACK STARTED BY IGNORANCE ON GITHUB

Delgatti’s invasion began in the CNJ repository on GitHub —a platform that hosts computer code snippets, to allow collective software development. There, he found files called “secrets” that contained access keys and tokens to the CNJ’s systems.

The council hosts its code on GitHub and the competing platform GitLab as a policy of transparency.

The “Vaza Jato” hacker searched for the information he found on the “jus.br” domain until he found a way to access the CNJ project repository on GitLab, which requires a username and password. It was there that he gained access to the programming code editor robot.

The exposed security files were no longer accessible a month ago, according to Delgatti.

Research by cybersecurity firm GitGuardian found around 10 million sensitive files exposed on GitHub. Those responsible for the study say that this accidental exposure occurs, in most cases, due to negligence on the part of the developer.

Protecting sensitive information within the scope of the program takes time and effort. In addition, failures may occur when uploading the code to GitHub, due to operator confusion, which unintentionally exposes vulnerabilities

Sought, GitHub said it does not comment on the matter.

Delgatti said in his testimony that he invaded the system to expose the weaknesses of the virtual environment of Justice. Data from financial transactions he delivered to the Federal Police show, however, that people close to deputy Carla Zambelli (PL-SP) transferred R$ 13,500 to the hacker.

Zambelli is investigated for having requested the invasion of the cybercriminal.