AT&T Confirms Data Breach Affecting Nearly All Wireless Customers
13.7.24
Incindent
The Hacker News
American telecom service provider AT&T has confirmed that threat actors managed
to access data belonging to "nearly all" of its wireless customers as well as
customers of mobile virtual network operators (MVNOs) using AT&T's wireless
network.
"Threat actors unlawfully accessed an AT&T workspace on a third-party cloud platform and, between April 14 and April 25, 2024, exfiltrated files containing AT&T records of customer call and text interactions that occurred between approximately May 1 and October 31, 2022, as well as on January 2, 2023," it said.
This comprises telephone numbers with which an AT&T or MVNO wireless number interacted – including telephone numbers of AT&T landline customers and customers of other carriers, counts of those interactions, and aggregate call duration for a day or month.
A subset of these records also contained one or more cell site identification numbers, potentially allowing the threat actors to triangulate the approximate location of a customer when a call was made or a text message was sent. AT&T said it will alert current and former customers if their information was involved.
"The threat actors have used data from previous compromises to map phone numbers to identities," Jake Williams, former NSA hacker and faculty at IANS Research, said. "What the threat actors stole here are effectively call data records (CDR), which are a gold mine in intelligence analysis because they can be used to understand who is talking to who — and when."
AT&T's list of MVNOs includes Black Wireless, Boost Infinite, Consumer Cellular, Cricket Wireless, FreedomPop, FreeUp Mobile, Good2Go, H2O Wireless, PureTalk, Red Pocket, Straight Talk Wireless, TracFone Wireless, Unreal Mobile, and Wing.
The name of the third-party cloud provider was not disclosed by AT&T, but Snowflake has since confirmed that the breach was connected to the hack that's impacted other customers, such as Ticketmaster, Santander, Neiman Marcus, and LendingTree, according to Bloomberg.
The company said it became aware of the incident on April 19, 2024, and immediately activated its response efforts. It further noted that it's working with law enforcement in their efforts to arrest those involved, and that "at least one person has been apprehended."
404 Media reported that a 24-year-old U.S. citizen named John Binns, who was previously arrested in Turkey in May 2024, is connected to the security event, citing three unnamed sources. He was also indicted in the U.S. for infiltrating T-Mobile in 2021 and selling its customer data.
However, it emphasized that the accessed information does not include the content of calls or texts, personal information such as Social Security numbers, dates of birth, or other personally identifiable information.
"While the data does not include customer names, there are often ways, using publicly available online tools, to find the name associated with a specific telephone number," it said in a Form 8-K filing with the U.S. Securities and Exchange Commission (SEC).
It's also urging users to be on the lookout for phishing, smishing, and online fraud by only opening text messages from trusted senders. On top of that, customers can submit a request to get the phone numbers of their calls and texts in the illegally downloaded data.
The malicious cyber campaign targeting Snowflake has landed as many as 165 customers in the crosshairs, with Google-owned Mandiant attributing the activity to a financially motivated threat actor dubbed UNC5537 that encompasses "members based in North America, and collaborates with an additional member in Turkey."
The criminals have demanded payments of between $300,000 and $5 million in return for the stolen data. The latest development shows that the fallout from the cybercrime spree is expanding in scope and has had a cascading effect.
WIRED revealed last month how the hackers behind the Snowflake data thefts procured stolen Snowflake credentials from dark web services that sell access to usernames, passwords, and authentication tokens that are captured by stealer malware. This included obtaining access through a third-party contractor named EPAM Systems.
For its part, Snowflake this week announced that administrators can now enforce mandatory multi-factor authentication (MFA) for all users to mitigate the risk of account takeovers. It also said it will soon require MFA for all users in newly created Snowflake accounts.
Twilio's Authy App Breach Exposes
Millions of Phone Numbers
4.7.24
Incindent
The Hacker News
Cloud communications provider Twilio has revealed that unidentified threat
actors took advantage of an unauthenticated endpoint in Authy to identify data
associated with Authy accounts, including users' cell phone numbers.
The company said it took steps to secure the endpoint to no longer accept unauthenticated requests.
The development comes days after an online persona named ShinyHunters published on BreachForums a database comprising 33 million phone numbers allegedly pulled from Authy accounts.
Authy, owned by Twilio since 2015, is a popular two-factor authentication (2FA) app that adds an additional layer of account security.
Cybersecurity
"We have seen no evidence that the threat actors obtained access to Twilio's
systems or other sensitive data," it said in a July 1, 2024, security alert.
But out of an abundance of caution, it's recommending that users upgrade their Android (version 25.1.0 or later) and iOS (version 26.1.0 or later) apps to the latest version.
It also cautioned that the threat actors may attempt to use the phone number associated with Authy accounts for phishing and smishing attacks.
"We encourage all Authy users to stay diligent and have heightened awareness around the texts they are receiving," it noted.
TeamViewer Detects Security Breach
in Corporate IT Environment
28.6.24
Incindent
The Hacker News
TeamViewer on Thursday disclosed it detected an "irregularity" in its internal
corporate IT environment on June 26, 2024.
"We immediately activated our response team and procedures, started investigations together with a team of globally renowned cyber security experts and implemented necessary remediation measures," the company said in a statement.
It further noted that its corporate IT environment is completely cut off from the product environment and that there is no evidence to indicate that any customer data has been impacted as a result of the incident.
It did not disclose any details as to who may have been behind the intrusion and how they were able to pull it off, but said an investigation is underway and that it would provide status updates as and when new information becomes available.
Cybersecurity
TeamViewer, based in Germany, is the maker of remote monitoring and management
(RMM) software that allows managed service providers (MSPs) and IT departments
to manage servers, workstations, network devices, and endpoints. It's used by
over 600,000 customers.
Interestingly, the U.S. Health Information Sharing and Analysis Center (Health-ISAC) has issued a bulletin about threat actors' active exploitation of TeamViewer, according to the American Hospital Association (AHA).
"Threat actors have been observed leveraging remote access tools," the non-profit reportedly said. "Teamviewer has been observed being exploited by threat actors associated with APT29."
It's currently unclear at this stage whether this means the attackers are abusing shortcomings in TeamViewer to breach customer networks, using poor security practices to infiltrate targets and deploy the software, or they have carried out an attack on TeamViewer's own systems.
APT29, also called BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard, and The Dukes, is a state-sponsored threat actor affiliated with the Russian Foreign Intelligence Service (SVR). Recently, it was linked to the breaches of Microsoft and Hewlett Packard Enterprise (HPE).
Cybersecurity
Microsoft has since revealed that some customer email inboxes were also accessed
by APT29 following the hack that came to light earlier this year, per reports
from Bloomberg and Reuters.
"This week we are continuing notifications to customers who corresponded with Microsoft corporate email accounts that were exfiltrated by the Midnight Blizzard threat actor," the tech giant was quoted as saying to the news agency.
Midnight Blizzard and Cloudflare-Atlassian Cybersecurity Incidents: What to Know
21.2.24
Incindent
The Hacker News
The Midnight Blizzard and Cloudflare-Atlassian cybersecurity incidents raised alarms about the vulnerabilities inherent in major SaaS platforms. These incidents illustrate the stakes involved in SaaS breaches — safeguarding the integrity of SaaS apps and their sensitive data is critical but is not easy. Common threat vectors such as sophisticated spear-phishing, misconfigurations and vulnerabilities in third-party app integrations demonstrate the complex security challenges facing IT systems.
In the case of Midnight Blizzard, password spraying against a test environment was the initial attack vector. For Cloudflare-Atlassian, threat actors initiated the attack via compromised OAuth tokens from a prior breach at Okta, a SaaS identity security provider.
What Exactly Happened?#
Microsoft Midnight Blizzard Breach#
Microsoft was
targeted by the Russian "Midnight Blizzard" hackers (also known as Nobelium,
APT29, or Cozy Bear) who are linked to the SVR, the Kremlin's foreign
intelligence service unit.
In the Microsoft breach, the threat actors:
Used a password spray strategy on a legacy account and historic test accounts
that did not have multi-factor authentication (MFA) enabled. According to
Microsoft, the threat actors "[used] a low number of attempts to evade detection
and avoid account blocks based on the volume of failures."
Leveraged the
compromised legacy account as an initial entry point to then hijack a legacy
test OAuth app. This legacy OAuth app had high-level permissions to access
Microsoft's corporate environment.
Created malicious OAuth apps by exploiting
the legacy OAuth app's permissions. Because the threat actors controlled the
legacy OAuth app, they could maintain access to the applications even if they
lost access to the initially compromised account.
Granted admin Exchange
permissions and admin credentials to themselves.
Escalated privileges from
OAuth to a new user, which they controlled.
Consented to the malicious OAuth
applications using their newly created user account.
Escalated the legacy
application's access further by granting it full access to M365 Exchange Online
mailboxes. With this access, Midnight Blizzard could view M365 email accounts
belonging to senior staff members and exfiltrate corporate emails and
attachments.
Recreation of illustration by Amitai Cohen
Cloudflare-Atlassian Breach#
On
Thanksgiving Day, November 23, 2023, Cloudflare's Atlassian systems were also
compromised by a nation-state attack.
This breach, which started on November 15, 2023, was made possible through the
use of compromised credentials that had not been changed following a previous
breach at Okta in October 2023.
Attackers accessed Cloudflare's internal wiki
and bug database, enabling them to view 120 code repositories in Cloudflare's
Atlassian instance.
76 source code repositories related to key operational
technologies were potentially exfiltrated.
Cloudflare detected the threat
actor on November 23 because the threat actor connected a Smartsheet service
account to an admin group in Atlassian.
SaaS Security Guide
Can Your
Security Team Monitor 3rd Party Apps? 60% of Teams Can't
Think your SaaS
security is top-notch? Appomni surveyed over 600 global security practitioners,
and 79% of professionals felt the same – yet they faced cybersecurity incidents!
Dive into the insights of the AppOmni 2023 Report.
Learn How You Can
Threat Actors Increasingly Target SaaS #
These breaches
are part of a broader pattern of nation-state actors targeting SaaS service
providers, including but not limited to espionage and intelligence gathering.
Midnight Blizzard previously engaged in significant cyber operations, including
the 2021 SolarWinds attack.
These incidents underscore the importance of continuous monitoring of your SaaS environments and the ongoing risk posed by sophisticated cyber adversaries targeting critical infrastructure and operational tech stack. They also highlight significant vulnerabilities related to SaaS identity management and the necessity for stringent 3rd-party app risk management practices.
Attackers use common tactics, techniques and procedures (TTPs) to breach SaaS providers through the following kill chain:
Initial access: Password spray, hijacking OAuth
Persistence: Impersonates
admin, creates extra OAuth
Defense Evasion: Highly privileged OAuth, no MFA
Lateral Movement: Broader compromise of connected apps
Data Exfiltration:
Grab privileged and sensitive data out of apps
Breaking the SaaS Kill Chain#
One effective way to break the kill chain early is with continuous monitoring,
granular policy enforcement, and proactive lifecycle management over your SaaS
environments. A SaaS Security Posture Management (SSPM) platform like AppOmni
can help with detecting and alerting on:
Initial Access: Out-of-the-box rules to detect credential compromise, including
password spraying, brute force attacks, and unenforced MFA policies
Persistence: Scan and identify OAuth permissions and detect OAuth hijacking
Defense Evasion: Access policy checks, detect if a new identity provider (IdP)
is created, detect permission changes.
Lateral Movement: Monitor logins and
privileged access, detect toxic combinations, and understand the blast radius of
a potentially compromised account
Note: This expertly contributed article is written by Beverly Nevalga, AppOmni.
Hackers Exploit Job Boards, Stealing Millions of Resumes and Personal Data
6.2.24
Incindent
The Hacker News
Employment agencies and retail companies chiefly located in the Asia-Pacific
(APAC) region have been targeted by a previously undocumented threat actor known
as ResumeLooters since early 2023 with the goal of stealing sensitive data.
Singapore-headquartered Group-IB said the hacking crew's activities are geared towards job search platforms and the theft of resumes, with as many as 65 websites compromised between November 2023 and December 2023.
The stolen files are estimated to contain 2,188,444 user data records, of which 510,259 have been taken from job search websites. Over two million unique email addresses are present within the dataset.
"By using SQL injection attacks against websites, the threat actor attempts to steal user databases that may include names, phone numbers, emails, and DoBs, as well as information about job seekers' experience, employment history, and other sensitive personal data," security researcher Nikita Rostovcev said in a report shared with The Hacker News.
"The stolen data is then put up for sale by the threat actor in Telegram channels."
Group-IB said it also uncovered evidence of cross-site scripting (XSS) infections on at least four legitimate job search websites that are designed to load malicious scripts responsible for displaying phishing pages capable of harvesting administrator credentials.
ResumeLooters is the second group after GambleForce that has been found staging SQL injection attacks in the APAC region since late December 2023.
A majority of the compromised websites are based in India, Taiwan, Thailand, Vietnam, China, Australia, and Turkey, although compromises have also been reported from Brazil, the U.S., Turkey, Russia, Mexico, and Italy.
The modus operandi of ResumeLooters involves the use of the open-source sqlmap tool to carry out SQL injection attacks and drop and execute additional payloads such as the BeEF (short for Browser Exploitation Framework) penetration testing tool and rogue JavaScript code designed to gather sensitive data and redirect users to credential harvesting pages.
The cybersecurity company's analysis of the threat actor's infrastructure reveals the presence of other tools like Metasploit, dirsearch, and xray, alongside a folder hosting the pilfered data.
The campaign appears to be financially motivated, given the fact that ResumeLooters have set up two Telegram channels named 渗透数据中心 and 万国数据阿力 last year to sell the information.
"ResumeLooters is yet another example of how much damage can be made with just a handful of publicly available tools," Rostovcev said. "These attacks are fueled by poor security as well as inadequate database and website management practices."
"It is striking to see how some of the oldest yet remarkably effective SQL attacks remain prevalent in the region. However, the tenacity of the ResumeLooters group stands out as they experiment with diverse methods of exploiting vulnerabilities, including XSS attacks."
AnyDesk Hacked: Popular Remote Desktop Software Mandates Password Reset
3.2.24
Incindent
The Hacker News
Remote desktop software maker AnyDesk disclosed on Friday
that it suffered a cyber attack that led to a compromise of its production
systems.
The German company said the incident, which it discovered following a security audit, is not a ransomware attack and that it has notified relevant authorities.
"We have revoked all security-related certificates and systems have been remediated or replaced where necessary," the company said in a statement. "We will be revoking the previous code signing certificate for our binaries shortly and have already started replacing it with a new one."
Out of an abundance of caution, AnyDesk has also revoked all passwords to its web portal, my.anydesk[.]com, and it's urging users to change their passwords if the same passwords have been reused on other online services.
It's also recommending that users download the latest version of the software, which comes with a new code signing certificate.
AnyDesk did not disclose when and how its production systems were breached. It's currently not known if any information was stolen following the hack. However, it emphasized there is no evidence that any end-user systems have been affected.
Earlier this week, Günter Born of BornCity disclosed that AnyDesk had been under maintenance since January 29. The issue was addressed on February 1. Previously, on January 24, the company also alerted users of "intermittent timeouts" and "service degradation" with its Customer Portal.
AnyDesk boasts over 170,000 customers, including Amedes, AutoForm Engineering, LG Electronics, Samsung Electronics, Spidercam, and Thales.
The disclosure comes a day after Cloudflare said it was breached by a suspected nation-state attacker using stolen credentials to gain unauthorized access to its Atlassian server and ultimately access some documentation and a limited amount of source code.