Programmer Walter Delgatti Neto exploited a series of cybersecurity loopholes in the National Council of Justice (CNJ) and a bug in the GitHub platform to access the National Bank of Arrest Warrants (BNMP). That’s when he created a false warrant against the minister of the Supreme Federal Court (STF) Alexandre de Moraes. Investigators believe that he carried out the invasion under the request of Carla Zambelli, a Federal Deputy allied to former President Jair Bolsonaro.
This Content Is Only For Subscribers
To unlock this content, subscribe to INTERLIRA Reports.
Primary Flaws
Delgatti’s testified on 2 August and revealed a series of potential primary flaws in the CNJ’s cybersecurity protocols. Between September 2022 and January of this year, he breached the system and inserted entered the fake documents, which included, in addition to the arrest warrant against Moraes, 11 release orders that benefited supporters of the former President.
The programmer mentioned basic flaws that allowed the invasion, such as passwords like “123change”, repeated access information and lack of two-factor authentication. On top of that, at least one of the systems used during the invasion has not been updated for two years.
The Path of the Invasion
Exploiting the basic gaps, the hacker followed conversations with CNJ technicians in an internal communication channel for three months and accessed a robot capable of editing the council’s codes, which allowed him to analyze “line by line” the justice systems.
By reading the chats, he got the login and password of a CNJ software engineer to a management system. The same keywords worked on the board’s intranet, where there was also no two-factor verification. This gave Delgatti access to all database passwords — some of the passwords were unencrypted.
The attacker then gained access to the IT consultant’s account on the Access Control System, which accredits permissions to other systems. This professional works at UNDP (United Nations Development Program), which maintains technical cooperation agreements with the CNJ to develop and update digital systems, such as the BNMP.
At last, he created a fake account of a magistrate in the BNMP and in Sisbajud – which sends court orders.
Delgatti’s invasion began in the CNJ repository on GitHub —a platform that hosts computer code snippets, to allow collective software development. There, he found files that contained access keys and tokens to the CNJ’s systems. The council hosts its code on GitHub and the competing platform GitLab as a policy of transparency.
Federal Deputy Zambelli
Zambelli is investigated for having requested the invasion for the cybercriminal. Data from financial transactions he delivered to the Federal Police show that people close to deputy Carla Zambelli (PL-SP) transferred R$ 13,500 to the hacker.
Analysis:
The hacker attack on the National Justice Council (CNJ) system, which allowed the creation of a fake arrest warrant against Supreme Court (STF) – Brazil’s top court – Minister Alexandre de Moraes, highlights the weakness of the Brazilian cyber systems, particularly of those that belong the country’s public institutions. The understanding is reinforced by a series of previous attacks already reported, such as one that targeted the Health Ministry’s system during the Covid-19 Pandemic and forced the page that accounted the number of cases and deaths – and other services – to remain offline for several weeks in a row.
Source: Folha de SP; G1;