Information Technology

The FBI has sent a private security alert to the US financial sector last week warning organizations about the increasing number of credential stuffing attacks that have targeted their networks and have led to breaches and considerable financial losses.
Credential stuffing is a relatively new term in the cyber-security industry.
It refers to a type of automated attack where hackers take collections of usernames and passwords that leaked online via data breaches at other companies and try them against accounts at other online services.
These attacks aim to identify accounts where users reused passwords and then gain unauthorized access over the user’s profile and attached resources.
Credential stuffing attacks weren’t always an issue, but they became one in the late 2010s after hackers leaked billions of usernames and password combinations from hundreds of companies over the past five years.

Slowly, hackers began collecting these leaked credentials and trying them against various online services. At first, they targeted online gaming and food-ordering accounts, but as the tactic proved to be more and more successful, more professional hacking groups switched to targeting accounts at online banking services and cryptocurrency exchanges, aiming to steal financial assets.
Credential stuffing is now a major problem for banks
According to an FBI security advisory obtained by ZDNet today, credential stuffing attacks have increased in recent years and have now become a major problem for financial organizations.
“Since 2017, the FBI has received numerous reports on credential stuffing attacks against US financial institutions, collectively detailing nearly 50,000 account compromises,” the FBI said.
“The victims included banks, financial services providers, insurance companies, and investment firms.”
FBI officials said that many of these attacks targeted application programming interfaces (APIs) since these systems are “less likely to require multi-factor authentication (MFA)” and are less monitored than user-facing login systems.
The FBI also noted that some credential stuffing attacks have been so massive, with authentication requests packed together without cool-out periods, that they brought down authentication systems at some financial organizations, with some targets believing they were being DDOSed and not under a credential stuffing attack — incidents that the F5 Networks cyber-security unit also reported last year.
Credential stuffing attacks also didn’t target just user profiles, the FBI said, but they also targeted employee accounts, with the attackers aiming to access high-privileged accounts as well.
Some of these attacks failed, but others also succeeded and led to multi-million dollar losses at some organizations over the past year.
According to the FBI, recent major incidents included:
In July 2020, a mid-sized US financial institution reported its Internet banking platform had experienced a “constant barrage” of login attempts with various credential pairs, which it believed was indicative of the use of bots. Between January and August 2020, unidentified actors used aggregation software to link actor-controlled accounts to client accounts belonging to the same institution, resulting in more than $3.5 million in fraudulent check withdrawals and ACH transfers. However, reporting does not indicate whether the increased logins and fraudulent transactions could be attributed to the same actor(s).
Between June 2019 and January 2020, a NY-based investment firm and an international money transfer platform experienced credential stuffing attacks against their mobile APIs, according to a credible financial source. Although neither entity reported any fraud, one of the attacks resulted in an extended system outage that prevented the collection of nearly $2 million in revenue.
Between June and November 2019, a small group of cyber criminals targeted a financial services institution and three of its clients, resulting in the compromise of more than 4,000 online banking accounts, according to a credible financial source. The cyber criminals then used bill payment services to submit fraudulent payments—about $40,000 in total—to themselves, which they then wired to foreign banking accounts. According to a 2020 case study on one of the firms, security researchers identified more than 1,500 email addresses and 6,000 passwords exposed in more than 80 data breaches. Some of the credentials belonged to company leadership, system administrators, and other employees with privileged access.
The FBI security advisory, which you can read in full here, warns financial institutions to take protective measures about the ever-growing threat of credential stuffing.
The alert includes basic detection strategies and mitigation advice that can be universally applied across all sectors, and not just for companies active in the financial vertical. More

The Cybersecurity and Infrastructure Security Agency (CISA) has published a security advisory today warning of a wave of attacks carried out by hacking groups affiliated with China’s Ministry of State Security (MSS).
CISA says that over the past year, Chinese hackers have scanned US government networks for the presence of popular networking devices and then used exploits for recently disclosed vulnerabilities to gain a foothold on sensitive networks.
The list of targeted devices includes F5 Big-IP load balancers, Citrix and Pulse Secure VPN appliances, and Microsoft Exchange email servers.
For each of these devices, major vulnerabilities have been publicly disclosed over the past 12 months, such as CVE-2020-5902, CVE-2019-19781, CVE-2019-11510, and CVE-2020-0688, respectively.
According to a table summarizing Chinese activity targeting these devices published by CISA today, some attacks have been successful and enabled Chinese hackers to gain a foothold on federal networks.

Iranian hackers are also targeting these systems
These attacks aren’t new, per-se. ZDNet reported last year that Chinese state hackers had targeted Pulse Secure and Fortinet VPN servers less than a month after the vulnerabilities became public.
In addition, Chinese hackers aren’t the only ones targeting these particular networking appliances. The devices listed above have also been targeted by Iranian state actors, according to a report from the private cyber-security sector and a cyber-security alert published by the FBI last month.
One Iranian group has mass-compromised these types of devices and then provided access to fellow Iranian groups, allowing them to select the networks they wanted to compromise for intelligence gathering operations. The compromised devices that were not selected were later put up for sale on underground hacking forums, according to a Crowdstrike report.
Other forms of attacks also detected
The CISA alert warns the US private sector and government agencies to patch F5, Citrix, Pulse Secure, and Microsoft Exchange devices. However, the alert also warns that Chinese hackers are employing a wide spectrum of other intrusion methods.
These also include the use of spear-phishing emails — a classic attack employed by Chinese state actors — and the use of brute-force attacks leveraging weak or default credentials.
Once Chinese hackers are inside targeted networks, they also often deploy commercial and open-source tools to move laterally across networks and exfiltrate data. This includes the use of legitimate penetration-testing tools like Cobalt Strike and Mimikatz.
When attacks target public-facing web systems, such as VPNs, web and email servers, CISA said it often spotted Chinese state hackers deploying the China Chopper web shell, a common tool they’ve used for almost a decade.
CISA officials recommend that security teams in private companies and private sector and government agencies read its report, take notice of the common tactics, techniques, and procedures (TTPs) used by Chinese state actors, patch devices and deploy detection rules accordingly. More

Unbeknownst to many, last month Microsoft patched one of the most severe bugs ever reported to the company, an issue that could be abused to easily take over Windows Servers running as domain controllers in enterprise networks.
The bug was patched in the August 2020 Patch Tuesday under the identifier of CVE-2020-1472. It was described as an elevation of privilege in Netlogon, the protocol that authenticates users against domain controllers.
The vulnerability received the maximum severity rating of 10, but details were never made public, meaning users and IT administrators never knew how dangerous the issue really was.
Take over a domain controller with a bunch of zeros
But in a blog post today, the team at Secura B.V., a Dutch security firm, has finally lifted the veil from this mysterious bug and published a technical report describing CVE-2020-1472 in greater depth.
And per the report, the bug is truly worthy of its 10/10 CVSSv3 severity score.
According to Secura experts, the bug, which they named Zerologon, takes advantage of a weak cryptographic algorithm used in the Netlogon authentication process.
This bug allows an attacker to manipulate Netlogon authentication procedures and:
impersonate the identity of any computer on a network when trying to authenticate against the domain controller
disable security features in the Netlogon authentication process
change a computer’s password on the domain controller’s Active Directory (a database of all computers joined to a domain, and their passwords)
The gist, and the reason why the bug has been named Zerologon, is that the attack is done by adding zero characters in certain Netlogon authentication parameters (see graph below).

Image: Secura
The entire attack is very fast and can last up to three seconds, at most. In addition, there are no limits to how an attacker can use the Zerologon attack. For example, the attacker could also pose as the domain controller itself and change its password, allowing the hacker to take over the entire corporate network.
Take over a corporate network in three seconds
There are limitations to how a Zerologon attack can be used. For starters, it cannot be used to take over Windows Servers from outside the network. An attacker first needs a foothold inside a network.
However, when this condition is met, it’s literally game over for the attacked company. 
“This attack has a huge impact,” the Secura team said. “It basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged in a device to an on-premise network port) to completely compromise the Windows domain.”
Furthermore, this bug is also a boon for malware and ransomware gangs, which often rely on infecting one computer inside a company’s network and then spreading to multiple others. With Zerologon, this task has been considerably simplified.
Patches available; more to come
But patching Zerologon was no easy task for Microsoft, as the company had to modify how billions of devices are connecting to corporate networks, effectively disrupting the operations of countless of companies.
This patching process is scheduled to take place over two phases. The first one took place last month, when Microsoft released a temporary fix for the Zerologon attack.
This temporary patch made the Netlogon security features (that Zerologon was disabling) mandatory for all Netlogon authentications, effectively breaking Zerologon attacks.
Nonetheless, a more complete patch is scheduled for February 2021, just in case attackers find a way around the August patches. Unfortunately, Microsoft anticipates that this later patch will end up breaking authentication on some devices. Some details about this second patch have been described here.
Attacks using Zerologon are a given, primarily due to the bug’s severity, wide impact, and benefits for attackers.
Secura has not released proof-of-concept code for a weaponized Zerologon attack, but the company expects that these will eventually surface after its report spreads online today.
In the meantime, the company has released a Python script instead, a script that can tell administrators if their domain controller has been patched correctly.
Updated at 5:00 PM ET to add that, as expected, weaponized proof-of-concept code has been made publicly available, which means the exploitation window for this vulnerability is now open. More

Plan for your organisation to become the victim of a ransomware or malware attack, even if you think it’s extremely unlikely you’ll be targeted because having an incident response plan will greatly reduce the impact if the worst happens.
The advice is part of the National Cyber Security Centre’s (NCSC) updated guidance on mitigating malware and ransomware attacks under a new section on preparing for an incident. The guidance has been updated because of what the NCSC describes as “a growing threat from ransomware attacks”.
One of the key pieces of advice is to plan for an attack on your systems even if you think it’s unlikely, because as the agency notes, there are many organisations which have been impacted by malware as collateral damage, even when they weren’t the intended target.
For example, both the WannaCry and NotPetya cyber attacks caused damage to organisations around the world who weren’t specifically being targeted by hackers.
To ensure that an organisation is as prepared for an attack as possible, the first thing they should do is identity their critical assets and what the impact would be if they were disrupted by a malware attack – then develop and incident response plan which accounts for what should happen if there is an attack.
The NCSC says that a well planned and executed response will help to minimise the damage caused by a cyber attack and could result in anything from restricting the amount of data lost to being able to minimise public fallout after falling victim to an incident.
The incident response plan should also be tested thoroughly to help clarify the roles and responsibilities of both staff and third parties and how to go about a system recovery if the network is taken out.
SEE: Security Awareness and Training policy (TechRepublic Premium)
For example, in the event of ransomware shutting down the network, an organisation should already know how long it would take to restore minimum functionality to the network, what processes need to be followed to restore servers and files from backups and how critical business services can still operate while the incident is ongoing.
The guidance also suggests that organisations should have plans in place so that if they do fall victim to a ransomware attack, they already know how they’d respond to a ransom demand and the threat of data being published as part of the extortion scheme.
This advice on being prepared for an incident is in addition to previous advice from the NCSC, which urges organisations to make regular backups, and prevent malware being delivered to devices and stopping malware from being able to run, for example, by limiting permissions which aren’t needed. Organisations are also urged to install security updates as and when they arrive.
The latest guidelines are based on the NCSC’s own experience of helping organisations resolve incidents over the course of this year.
“With each incident the NCSC manages, we continue to learn. We learn about how criminals compromise networks, how they deploy malware, and the mitigations that – if in place – would have prevented the attack,” said the NCSC blog post.
“Knowledge like this, which we acquire from the ‘cyber frontline’, is invaluable and informs the guidance we publish. This is why we’ve updated the mitigating malware and ransomware guidance; to ensure that it reflects the changing nature of the incidents we are dealing with”.
To help organisations manage their incident response strategy, the NCSC recommends it
s free Exercise in a Box online tool which contains materials for setting up, planning, delivery, and post-exercise activity – many of which are based on data from real cyber attacks.
READ MORE ON CYBERSECURITY More

On Tuesday, I’ll be joining CBS Interactive’s Michael Steinhart and Netenrich’s Brandon Hoffman in what promises to be a fascinating webcast about attack surface intelligence. While preparing for my part of the session, I came upon a bunch of unsettling statistics about how cybercrime and cyberattacks have gotten worse since the beginning of the COVID-19 pandemic.
Join me:
And since we can’t be in the same room together anymore, I figured the next most neighborly thing I could do is share the pain. So let’s dive in together. You might want to take a few Tums before you do. Your stomach acid level will thank me.
1. The number of unsecured remote desktop machines rose by more than 40%
As you might expect with so many new remote workers, there’s been a huge surge in the number of remote desktop connections from home to work (or the cloud). According to Channel Futures citing a Webroot study, there’s been over a 40% surge in machines running RDP (remote desktop protocol).
The issue with unsecured machines is that criminals can use brute force attacks to gain access to a desktop machine. And once on the network with a desktop machine… badness happens.
2. RDP brute-force attacks grew 400% in March and April alone
According to Catalin Cimpanu here on ZDNet, cybersecurity firm Kaspersky released a report in April showing a huge jump in RDP (remote desktop protocol) attacks.
All these new remote desktop connections create a target-rich environment. But here’s the thing: What happens when you rush to spin up a ton of services almost overnight? Mistakes are made. That’s one reason why so many remote desktops are not secure.
And what happens when you have unsecured systems? A 400% boost in brute-force attacks. Yay, humanity!
3. Email scams related to COVID-19 surged 667% in March alone
According to Barracuda Networks, the number of phishing scams related to COVID-19 exploded in March. It probably continued in April and beyond, but we only have March data right now.

These scams work the same as normal phishing scams, trying to separate users from credentials. The only difference is that the emails are using the pandemic to try to push a new set of psychological hot buttons.
Because of so much rushed digital transformation, people are now accepting emails that might not look as formal or professional as before pandemic. And they click on those messages or log into those real-looking sites.
4. Users are now three times more likely to click on pandemic-related phishing scams
Let’s add a bonus statistic, courtesy of the Verizon Business 2020 Data Breach Investigations Report. Even prior to the pandemic, credential theft and phishing were at the heart of more than 67% of breaches.
In a test performed in late March, researchers found that users are three times more likely to click on a phishing link and then enter their credentials than they were pre-COVID. Of course, it doesn’t hurt that those phishing emails often used words like “COVID” or “coronavirus, “masks”, “test”, “quarantine” and “vaccine.”
5. Billions of COVID-19 pages on the Internet
About three weeks ago, I did a Google search on the phrase “COVID-19” and got 6.1 million search results. Today, the same query yielded 4.8 billion results. Clearly, it’s a topic on top-of-mind for many of us. It’s also top-of-mind for scammers, because…
6. Tens of thousands of new coronavirus-related domains are being created daily
ZDNet has been tracking the rise in coronavirus-themed domains and has found that tens of thousands of new unique coronavirus-themed domains are being created on a daily basis.
7. 90% of newly created coronavirus domains are scammy
How many of these sites are legitimate? According to the same ZDNet research performed by Catalin, “in nine out of ten cases, we found a scam site peddling fake cures, or private sites, most likely used for malware distribution only to users with a specific referral header.”
8. More than 530,000 Zoom accounts sold on dark web
Just as there has been a rise in remote work and remote desktop, there has been an unprecedented rise in desktop video conferencing, mostly using Zoom. While Zoom has had some security issues, and we’ve seen the rise of a new practice called “Zoom bombing,” the site Bleeping Computer reports it found more than half a million Zoom credentials for sale – at roughly a penny a login ID.
9. 2000% increase in malicious files with “zoom” in name
And while we’re on the topic of Zoom, Webroot (via Channel Futures) reports that it’s seeing a 2,000% rise in malicious files containing the string “zoom.” Just for the heck of it, I typed the word “zoom” into Google and got 1.9 billion results. To be fair, zoom is a real word. That said, the Google Trends chart below shows how there was barely any interest in “zoom” until around March when “zoom” interest zoomed into the stratosphere.
Google Trends
10. COVID-19 drives 72% to 105% ransomware spike
According to the Skybox Security 2020 Vulnerability and Threat Trends Report, ransomware samples (captured malicious files and code) have shot up 72% since the beginning of the pandemic. If you want even more worrisome numbers, look no further than SonicWall’s 2020 Cyberthreat report, which sees a 105% spike.
The samples are not necessarily coronavirus-related, but it’s a huge jump in a very short period of time that corresponds with our current troubles. That said, the SonicWall report indicates, “While it’s impossible to determine causation, a strong correlation can be found in the ransomware graph and the patterns of COVID-19 infections.” Because, of course it can.

But wait, there’s more

Although these items didn’t fit nicely into little statistics, we’ve noticed more coronavirus-related scams and problems, including ransomware on fake contact tracing apps, COVID-19 malware that will wipe your PC and blast your master boot record, and the totally unsurprising story that the Russians are meddling with western scientific coronavirus vaccine research. You know what they say: Putins will be Putins.
Stay tuned to ZDNet’s Zero Day column for ongoing coverage of security threat issues. And feel free to join me tomorrow, September 15 in Get ahead of an attack: What weaknesses do hackers see in your network? at 2:00 pm ET / 11:00 am PT / 18:00 GMT. It’s free and should be quite informative.
I’d like to end this on an upbeat note and tell you something positive about malware trends or even the coronavirus. Since I can’t, I’ll just tell you something personally uplifting: there’s still time tonight for me to have another cup of coffee. It’s not big, but these days, we’ve got to acknowledge and embrace the small pleasures. Mine will be another hot cup ‘o Joe warming my cozy hands, in about five minutes.
Do you have any thoughts to share about coronavirus-themed malware? What about coffee? I’m always open to a good coffee discussion. Either way, share in the comments below.

You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV. More

Image: Aqua Security

An analysis of one year’s worth of cyber-attacks recorded in cloud honeypot servers reveals that the vast majority of hackers target cloud infrastructure with the purpose of deploying crypto-mining malware rather than exfiltrate sensitive corporate information, set up DDoS infrastructure, or other forms of cybercrime.
According to Aqua Security’s 2020 Cloud Native Threat Report, which tracked and analyzed 16,371 attacks between June 2019 and July 2020, attacks against cloud systems exploded at the start of the year when the company recorded a 250% jump in attacks from the previous year.
During these attacks, hackers tried to gain control over the honeypot servers and then download and deploy a malicious container image.
Aqua said that 95% of these images were aimed towards mining cryptocurrency, while the rest were used for setting DDoS infrastructure, something that has not been a common occurrence until recently.
“Our analysis suggests that the threat landscape shifted towards organized cybercrime, which is investing in infrastructure,” Aqua said.
The involvement of organized cybercrime groups not only led to a spike in attacks but also raised the complexity of these intrusions.
Intrusion methods diversified, and malware complexity improved, Aqua said.
From scanning the internet for cloud servers exposed online without a password, exploiting vulnerabilities in unpatched systems, and carrying out brute-force attacks, hacker groups have been recently orchestrating supply-chain attacks.
These are attacks where hackers plant malware in regular-looking container/server images that they upload to public registries.
Aqua Security says the malware stored inside these malicious containers springs into action and performs malicious actions only after the image is deployed, making it impossible to detect malicious payloads using static analysis or signature-based security systems.
This has led to multiple groups adopting supply-chain attacks as a method of targeting companies managing cloud infrastructure. [i.e., some of previous cases I, II, III, and IV]
Furthermore, the malware is also getting more complex, slowly inching closer to the complexity of malware seen targeting desktops. Aqua said it saw malware strains using multi-stage payloads, 64-bit encoding to hide their malicious code, and techniques to disable competing malware on the same system.
All of this suggests a maturing cybercrime scene that is primarily focused on generating revenue, and the easiest way to do that is by mining cryptocurrency (Monero) on the hacked servers.
For more details on attacks targeting cloud infrastructure, please refer to Aqua Security’s 71-page 2020 Cloud Native Threat Report. More

A 51-year-old US citizen has been charged with running a diamond and cryptocurrency-based Ponzi scheme.

Prosecutors claim that Jose Angel Aman, from Washington, DC., operated a fraudulent investment scheme across the United States and Canada, luring investors with promises of quick returns in the diamond trade.
The US Department of Justice (DoJ) said on Friday that Aman was the operator of a Ponzi scheme from May 2014 to May 2019. Together with his partners, Aman allegedly solicited individuals to invest in “diamond contracts,” in which their money would be used to buy large, rough, uncut diamonds. 
These diamonds would then be cut and polished in order to be resold at a profit. To instill trust in the organization, Aman said that funds were backed by his own physical colored diamond stock, apparently worth $25 million. 
See also: DoJ arrests Ponzi operators planning to retire ‘RAF’ through cryptocurrency scam
As is the case with many Ponzi and get-rich-quick schemes, investors expect to see a cut of the profits and without this, Ponzi schemes are exposed and collapse quickly. Therefore, Aman allegedly used investor funds to pay off earlier investment “interest,” and as more investors joined the pool, the transfer of funds down the chain continued — without any legitimate profit obtained from diamond purchases. 
When funds ran low and the operator was at risk of being exposed, he allegedly created “Reinvestment Contracts” to entice users to roll over their cash into new ‘deals’ in order to buy Aman time to sign up new investors. 
However, this could not carry on forever, and US prosecutors say that Aman set up Argyle Coin as the Ponzi scheme was on the verge of collapse. Argyle Coin claimed to be a cryptocurrency-project backed by diamond trading, and as a fresh wave of investment poured into the coffers, only a “fraction of the money received” was used to create a cryptocurrency token.
CNET: Best iPhone VPNs of 2020
Instead, the DoJ says the majority of the funds were used to pay off investors from the previous Ponzi program, under the names Natural Diamonds Investment Co. (Natural Diamonds) and Eagle Financial Diamond Group Inc (Eagle). 
“During the course of the Ponzi scheme, Aman and his partners collected over $25 million from hundreds of investors,” prosecutors say. “Aman allegedly used the money to make purported interest payments to investors, to pay business expenses, to pay commissions to the partners, and to support his own lavish lifestyle.”
Investor funds were allegedly used for purposes including housing rent, horse purchases, and riding lessons.
TechRepublic: Microsoft detects wave of cyberattacks two months before US presidential election
In 2019, the Securities and Exchange Commission (SEC) obtained an emergency court order to freeze Argyle Coin’s operations. The US District Court for the Southern District of Florida granted a request for a temporary restraining order and asset freeze while the cryptocurrency organization was investigated. 
Aman is facing charges of wire fraud, which could result in up to 20 years behind bars, as well as restitution payments. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

“To everyone. I f*cked up. And I am sorry.”
These are the words of “Chef Nomi,” the creator of the SushiSwap project, after suddenly liquidating his stock, causing a massive price crash of over 70% to the SushiSwap token. 

SushiSwap is a Decentralized Finance (DeFi) project created by Chef Nomi based on a UniSwap decentralized exchange (DEX) fork for bootstrapping liquidity. 
See also: PayPal hiring push hints at future cryptocurrency support
When Chef Nomi liquidated funds from the development wallet last week — cashing in roughly $14 million in ETH in the process by swapping out SushiSwap tokens (SUSHI) — the community and investors in the project immediately felt the impact.
At its peak, SushiSwap was worth $10.76. At the time of writing, the token is now valued at $2.32. As reported by Coin Desk, once Chef Nomi liquidated their holdings, prices plummeted from $4.44 to $1.20. 
CNET: Hackers out of Russia, China, Iran are targeting US election, Microsoft finds
The community response was immediate, with accusations of an exit scam battering the young project’s reputation. Chef Nomi took to Twitter to defend their actions, insisting that the move was comparable to the creator of Litecoin cashing out funds. However, as users pointed out, the SushiSwap project was only several weeks old. 

It was not long before the backlash caused a U-turn by the anonymous creator, who transferred ownership to FTX CEO Sam Bankman-Fried and then decided to return the funds cashed out from the developer wallet. 
“I have returned all the $14M worth of ETH back to the treasury,” Chef Nomi said in a tweet dated September 11. “And I will let the community decide how much I deserve as the original creator of SushiSwap. In any currency (ETH/SUSHI/etc). With any lockup schedule you wish.”
TechRepublic: 22 cybersecurity courses for aspiring and in-demand IT security pros
Seemingly apologetic, the developer said “I f*cked up. And I am sorry,” adding:

“I hope that SushiSwap continues to evolve. Don’t let my mistake deter it from being a 100% community-run AMM. The success of SushiSwap will set a precedent for many more community-run projects.”

The project creator said that they will continue to “participate in the discussion and technical implementation of SushiSwap” as a background figure, but whether or not the community will forgive, forget, and accept their future contributions remains to be seen. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More