More stories

  • in

    Fujitsu says stolen data being sold on dark web 'related to customers'

    Data from Japanese tech giant Fujitsu is being sold on the dark web by a group called Marketo, but the company said the information “appears related to customers” and not their own systems.On August 26, Marketo wrote on its leak site that it had 4 GB of stolen data and was selling it. They provided samples of the data and claimed they had confidential customer information, company data, budget data, reports and other company documents including information on projects.Initially, the group’s leak site said it had 280 bids on the data but now, the leak site shows 70 bids for the data, including one bid today. A screenshot of the leak site.
    Etay Maor
    A Fujitsu spokesperson downplayed the incident and told ZDNet that there was no indication it was connected to a situation in May when hackers stole data from Japanese government entities through Fujitsu’s ProjectWEB platform.”We are aware that information has been uploaded to dark web auction site ‘Marketo’ that purports to have been obtained from our site. Details of the source of this information, including whether it comes from our systems or environment, are unknown,” a Fujitsu spokesperson told ZDNet.  “Because this includes information that appears related to customers, we will refrain from commenting on the details. I assume that you may recall the last event of Project WEB on May, but there is no indication that this includes information leaked from ProjectWEB, and we believe that this matter is unrelated.”Cybersecurity experts like Cato Networks senior director of security strategy Etay Maor questioned the number of bids on the data, noting that the Marketo group controls the website and could easily change the number as a way to put pressure on buyers.

    But Ivan Righi, cyber threat intelligence analyst with Digital Shadows, said Marketo is known to be a reputable source.Righi said the legitimacy of the data stolen cannot be confirmed but noted that previous data leakages by the group have been proven to be genuine. “Therefore, it is likely that the data exposed on their website is legitimate. At the time of writing, Marketo has only exposed a 24.5 MB ‘evidence package,’ which contained some data relating to another Japanese company called Toray Industries. The group also provided three screenshots of spreadsheets allegedly stolen in the attack,” Righi said. He explained that while Marketo is not a ransomware group, it operates similar to ransomware threat actors. “The group infiltrates companies, steals their data, and then threatens to expose that data if a ransom payment is not made. If a company does not respond to the threat actor’s ransom demand, they are eventually posted on the Marketo data leak site,” Righi told ZDNet. “Once a company is posted on the Marketo site, an evidence package is usually provided with some data stolen from the attack. The group will then continue to threaten the companies and expose data periodically, if the ransom is not paid. While the group does have an auction section on their website, not all victims are available in this section, and Fujitsu has not been put up for auction publicly at the time of writing. It is unknown where the 70 bids purportedly came from, but it is possible that these bids may originate from closed auctions.”Digital Shadows wrote a report about the group in July, noting that it was created in April 2021 and often markets its stolen data through a Twitter profile by the name of @Mannus Gott.The account has taunted Fujitsu in recent days, writing on Sunday, “Oh, the sweet, sweet irony. One of the largest IT services provider couldn’t find themselves an adequate protection.”The gang has repeatedly claimed it is not a ransomware group and instead an “informational marketplace.” They contacted multiple news outlets in May to tout their work. “The marketplace itself operates in a similar fashion to other data leak sites with some unique features. Interestingly the group includes an ‘Attacking’ section naming organizations that are in the progress of being attacked. The marketplace allows for user registration and provides a contact section for victim and press inquiries,” Digital Shadows Photon Research Team wrote.”Victims are provided a link to a separate chat to conduct negotiations. Within the individual posts, Marketo provides a summary of the organization, screenshots of seemingly compromised data, and a link to an “evidence pack” otherwise known as a proof. They auction sensitive data in the form of a silent auction through a blind bidding system where users make bids based on what they think the data is worth.” 
    Digital Shadows
    In the past, the group has gone so far as to send samples of stolen data to a company’s competitors, clients and partners as a way to shame victims into paying for their data back. The group has listed dozens of companies on their leak site, including Puma recently, and generally leaks one each week, mostly selling data from organizations in the US and Europe. At least seven industrial goods and services companies have been hit alongside organizations in the healthcare and technology sectors.  More

  • in

    Passport info and healthcare data leaked from Indonesia's COVID-19 test-and-trace app for travelers

    Researchers with vpnMentor have uncovered a data breach involving the COVID-19 test and trace app created by the Indonesian government for those traveling into the country. The ‘test and trace app’ — named electronic Health Alert Card or eHAC — was created in 2021 by the Indonesian Ministry of Health but the vpnMentor team, lead by Noam Rotem and Ran Locar, said it did not have the proper data privacy protocols and exposed the sensitive data of more than one million people through an open server. The app was built to hold the test results of those traveling into the country to make sure they were not carrying COVID-19 and is a mandatory requirement for anyone flying into Indonesia from another country. Both foreigners and Indonesian citizens must download the app, even those traveling domestically within the country. The eHAC app keeps track of a person’s health status, personal information, contact information, COVID-19 test results and other data.

    Rotem and Locar said their team discovered the exposed database “as part of a broader effort to reduce the number of data leaks from websites and apps around the world.” “Our team discovered eHAC’s records with zero obstacles, due to the lack of protocols in place by the app’s developers. Once they investigated the database and confirmed the records were authentic, we contacted the Indonesian Ministry of Health and presented our findings,” the vpnMentor research team said. “After a couple of days with no reply from the ministry, we contacted Indonesia’s Computer Emergency Response Team agency and, eventually, Google — eHAC’s hosting provider. By early August, we had not received a reply from any of the concerned parties. We tried to reach out to additional governmental agencies, one of them being the BSSN (Badan Siber dan Sandi Negara), which was established to carry out activities in the field of cyber security. We contacted them on August 22nd and they replied on the same day. Two days later, on August 24, the server was taken down.” 

    The Indonesian Ministry of Health and Foreign Ministry did not respond to requests for comment from ZDNet. In their report, the researchers explain that the people who created eHAC used an “unsecured Elasticsearch database to store over 1.4 million records from approximately 1.3 million eHAC users.”On top of the leak of sensitive user data, the researchers found that all of the infrastructure around eHAC was exposed, including private information about local Indonesian hospitals as well as government officials who used the app. The data involved in the leak includes user IDs — which ranged from passports to national Indonesian ID numbers — as well as COVID-19 test results and data, hospital IDs, addresses, phone numbers, URN ID number and URN hospital ID number. For Indonesians, their full names, numbers, dates of birth, citizenship, jobs and photos were included in the leaked data. 

    The researchers also found data from 226 hospitals and clinics across Indonesia as well as the name of the person responsible for testing each traveller, the doctors who ran the test, information about how many tests were done each day and data on what kinds of travelers were allowed at the hospital. The leaked database even had personal information for a traveler’s parents or next of kin as well as their hotel details and other information about when the eHAC account was created. Even eHAC staff members had their names, ID numbers, account names, email addresses and passwords leaked. “Had the data been discovered by malicious or criminal hackers, and allowed to accumulate data on more people, the effects could have been devastating on an individual and societal level,” the researchers said. “The massive amount of data collected and exposed for each individual using eHAC left them incredibly vulnerable to a wide range of attacks and scams. With access to a person’s passport information, date of birth, travel history, and more, hackers could target them in complex (and simple) schemes to steal their identity, track them down, scam them in person, and defraud them of thousands of dollars. Furthermore, if this data wasn’t sufficient, hackers could use it to target a victim in phishing campaigns over email, text, or phone calls.” 

    The vpnMentor research team uses “large-scale web scanners” as a way to search for unsecured data stores containing information that shouldn’t be exposed.”Our team was able to access this database because it was completely unsecured and unencrypted. eHAC was using an Elasticsearch database, which is ordinarily not designed for URL use,” the researchers added. “However, we were able to access it via browser and manipulate the URL search criteria into exposing schemata from a single index at any time. Whenever we find a data breach, we use expert techniques to verify the owner of the database, usually a commercial business.” The report notes that with all of the data, it would be easy for hackers to pose as health officials and conduct any number of scams on any of the 1.3 million people whose information was leaked. Hackers could have also changed data in the eHAC platform, potentially hampering the country’s COVID-19 response. The researchers noted that they were wary of testing any of these potential attacks out of fear of disrupting the country’s efforts to contain COVID-19, which may already be damaged by the government’s haphazard management of the database.The vpnMentor team added that if there was a hack or ransomware attack involving the database, it could have led to the kind of distrust, misinformation and conspiracy theories that have gained a foothold in dozens of countries. “If the Indonesian people learned the government had exposed over 1 million people to attack and fraud via an app built to combat the virus, they may be reluctant to engage in broader efforts to contain it — including vaccine drives,” the researchers said. “Bad actors would undoubtedly exploit the leak for their gain, jumping on any frustration, fear, or confusion, creating mistruths and exaggerating the leak’s impact beyond all reasonable proportion. All of these outcomes could significantly slow down Indonesia’s fight against Coronavirus (and misinformation in general) while forcing them to use considerable time and resources to fix their own mess. The result is further pain, suffering, and potential loss of life for the people of Indonesia.”The researchers said the designers of the eHAC system needed to secure the servers, implement proper access rules and made sure to never leave the system, which did not require authentication, open to the internet. They urged those who may think their information was affected to contact the Indonesian Ministry of Health directly to figure out what next steps may need to be taken. eHAC is far from the only COVID-19 related app to face similar problems. Since the beginning of the pandemic, the emergence of contact tracing apps has caused worry among researchers who have repeatedly shown how faulty these tools can be. Just last week, Microsoft faced significant backlash after their Power Apps were found to have exposed 38 million records online, including contact tracing records. In May, the personal health information belonging to tens of thousands of Pennsylvanians was exposed following a data breach at a Department of Health vendor. The Department of Health accused a vendor of exposing the data of 72,000 people by willfully disregarding security protocols.  More

  • in

    Bangkok Airways apologizes for passport info breach as LockBit ransomware group threatens data leak

    Bangkok Airways has apologized for a data breach involving passport information and other personal data in a statement to customers. The company said that it discovered a “cybersecurity attack which resulted in unauthorized and unlawful access to its information system” on August 23. 

    ZDNet Recommends

    Also: T-Mobile hack: Everything you need to knowThe statement said the company is “deeply sorry for the worry and inconvenience that this malicious incident has caused.”Bangkok Airways did not respond to requests for comment from ZDNet about how many customers were involved in the breach or what timeframe the data came from, but in its statement the company said an investigation revealed that the names, nationalities, genders, phone numbers, emails, addresses, contact information, passport information, historical travel information, partial credit card information and special meal information for passengers of the airline had been accessed. The company said it is still conducting an investigation into the attack and is working on strengthening its IT system as it identifies potential victims. The attackers were not able to affect Bangkok Airways’ operational or aeronautical security systems, according to the statement, and the Royal Thai police have been notified of the incident.

    “For primary prevention measures, the company highly recommends passengers to contact their bank or credit card provider and follow their advice and change any compromised passwords as soon as possible,” the company said. “In addition to that, the company would like to caution passengers to be aware of any suspicious or unsolicited calls and/or emails, as the attacker may be claiming to be Bangkok Airways and attempt to gather personal data by deception (known as ‘phishing’).” They urged customers to contact the police or take legal action if they get any notices purporting to be from Bangkok Airways asking for credit card details or other information. The announcement, which was released on Friday, coincided with a notice from the LockBit ransomware group that said it was planning to release 103 GB of compressed files that it claimed was stolen from Bangkok Airways. A screenshot of the LockBit ransomware data leak site. 
    DarkTracer
    The group said it would release the data on August 30, but in the past they have extended deadlines or reneged on threats to release data. LockBit operators faced criticism weeks ago when they threatened to leak data that they said was stolen from billion-dollar tech services company Accenture. They repeatedly pushed back the deadline before Accenture came forward to dismiss claims that any significant data was taken. The Australian Cyber Security Centre released an advisory in early August noting that the LockBit ransomware group had relaunched after a brief dip in activity and has ramped up attacks. Members of the group are actively exploiting existing vulnerabilities in the Fortinet FortiOS and FortiProxy products identified as CVE-2018-13379 in order to gain initial access to specific victim networks, the advisory said. “The ACSC is aware of numerous incidents involving LockBit and its successor ‘LockBit 2.0′ in Australia since 2020. The majority of victims known to the ACSC have been reported after July 2021, indicating a sharp and significant increase in domestic victims in comparison to other tracked ransomware variants,” the release added. “The ACSC has observed LockBit affiliates successfully deploying ransomware on corporate systems in a variety of sectors including professional services, construction, manufacturing, retail and food.” In June, the Prodaft Threat Intelligence team published a report examining LockBit’s RaaS structure and its affiliates’ proclivity toward buying Remote Desktop Protocol access to servers as an initial attack vector. “Commercial and professional services as well as the transportation sector are also highly targeted by the LockBit group,” Prodaft said.Those who believe they may have been affected by the attack are urged to contact infosecurity@bangkokair.com for more information. More

  • in

    Singapore touts need for security, use cases as 5G rollouts gather steam

    Singapore has underscored the need for 5G networks to to remain secured and resilient, as well as for use cases to be developed and tested so the ecosystem can thrive. Its calls come as local telco Singtel announces new customer trials running on its standalone 5G network, including in logistics and manufacturing.   Designed fundamentally different from previous generations, which were primarily based on hardware, 5G systems were software-driven. This architectural change could create new potential security vulnerabilities, according to Singapore’s Minister for Communications and Information Josephine Teo. 

    “As we expand the adoption of 5G, we must be mindful of the potential for new cyber risks,” Teo said Monday in a speech broadcast during Singtel’s virtual event, which featured new trials the telco was running on its 5G standalone network. “Digital infrastructure must be secure. Consumers and businesses must have confidence that our 5G networks are resilient,” she said. “It is important to uphold Singapore’s reputation as a trusted player, here and abroad.”She noted that Infocomm Media Development Authority (IMDA) had stressed the importance of “security and resilience” as regulatory priorities. The industry regulator last year announced a 5G security testbed initiative, in which IMDA worked alongside telcos to boost their security posture and capabilities, Teo said. She added that local telcos had “committed to adopt” a zero-trust security posture, which meant they would have to verify all activities before these were trusted. Carriers also would have to implement constant monitoring and be vigilant for suspicious activities, the minister said. She suggested telcos could further tap global market opportunities if they were able to differentiate their services in the 5G cybersecurity segment. 

    In particular, they would need to play their role in driving the local ecosystem and adoption of 5G, she said. “Imagine an appstore with no apps for us to download. Likewise, 5G infrastructure itself cannot deliver magic without actual use cases being developed, tested, and scaled up,” Teo said. Singtel Group CEO Yuen Kuan Moon pointed to 5G’s potential to “transform” business models and drive the development of new products and services, including stimulating new growth to “reinvigorate” the Singapore telco’s own core business.  Yuen said the combination of Internet of Things (IoT) and artificial intelligence (AI) would provide for more intelligent connectivity, delivering new value proposition for organisations and consumers. For enterprises, in particular, he touted Singtel’s MEC (Multi-access Edge Computing) platform as the vehicle to develop new applications such as smart city planning and 5G-powered e-racing. Singtel today announced it was working with virtual car racing operator, Formula Square, to test 5G-powered experience of racing remote-controlled cars at Sentosa. Use cases that tap key 5G benefitsAsked if the telco was focusing on key verticals in running 5G pilots, Singtel’s vice president for 5G enterprise and cloud Dennis Wong said potential use cases cut across multiple sectors including manufacturing, logistics, financial services, and retail. Some functionalities and applications saw quicker adoption than others, such as drones and autonomous vehicles, where regulatory issues still were evolving and the ecosystems were less matured. These would require more time before 5G adoption would pick up, Wong said in an interview with ZDNet. Some applications such as video analytics were seeing high interest as these were easily realised and had different uses cases that could be deployed across multiple verticals, he noted. The technology, for instance, could be used in manufacturing to identify defects or in transport for security. Video streaming also could be used in the medical field. In exploring potential use cases, he said the key benefits of 5G were its ability to deliver low latency, high data speeds, and enhanced security. These then would help organisations willing to adopt the technology to identify applications they could develop and work with Singtel and its partners to do so.  Asked how many trials Singtel currently was running with its enterprise customers, Wong said the number was in “multiple tens”. He added that several others were rejected for various reasons, including a lack of value proposition and an immature ecosystem. He said the telco’s “5G network in a box” service, called Genie, also was seeing high interest, with enterprise customers requesting to extend their loan period beyond the standard two weeks. While asked, he declined to say how many of these boxes currently were in circulation. Launched in April, Genie was touted to provide a 5G network environment anywhere that had an available power source, enabling enterprises to deploy and test their applications. Tucked inside a suitcase-sized container, Genie comprised a 5G network control kit as well as a standing mount with 5G radio antenna. The box was built to work with the telco’s MEC infrastructure, which was heavily pitched today as the platform on which applications were optimised for 5G’s key features, including low latency, high bandwidth, and real-time compute capabilities at the edge, such as data analytics and AI processing. Singtel in recent months also inked  partners including Microsoft and Amazon Web Services (AWS), so enterprise customers of these hyperscalers could run their applications on the telco’s MEC and 5G infrastructures, Wong said. Yuen added that 5G and AI, along with data analytics, would be key drivers in Singapore’s digital economy post-pandemic, especially as COVID-19 had accelerated digital transformation across all industries. Powered by 5G, the ability to collect and analyse data in large volumes and in real-time would further speed up the adoption of AI and transform businesses, he said. He added that this would play out over the next one to two years as the industry began to embrace digitalisation and tap AI and 5G as the foundation of their digital transformation. According to Teo, Singapore was on track to have nationwide outdoor coverage on 5G standalone networks by 2025, with half of the island to have coverage by end-2022. Singtel’s Singapore CEO for consumer Anna Yip said the telco currently had more than 180,000 5G subscribers. RELATED COVERAGE More

  • in

    VPN Unlimited deal: Save 80% on a lifetime subscription for 5 devices

    StackCommerce
    It’s really appalling how much of our data we give away freely to businesses that we deal with since it leaves us so vulnerable should their security be breached. Because, unfortunately, that happens far too frequently these days. It’s now imperative that we take the strongest possible measures to protect ourselves on both computers and mobile devices. Thankfully, a very affordable KeepSolid VPN Lifetime subscription will help free us from worry on up to 5 devices and you can currently get a $30 store credit if you buy one.

    KeepSolid VPN not only protects you with its military-grade AES 256-bit encryption on macOS, Windows, Android and iOS devices, it even includes a kill switch and an extremely strict policy of zero-logging in order to protect your privacy. Best of all, you get all of that protection without sacrificing any of your connection speed and absolutely no limits on either your bandwidth or your speed.That means you can work or stream without any buffering. And since KeepSolid VPN has more than 400 servers around the globe, you can enjoy content anywhere you like without having to worry about geo-restrictions while accessing Netflix, BBC iPlayer, Hulu, ESPN+, HBO, and much more. You could even train for an exciting new career while traveling for business or pleasure.KeepSolid VPN offers 24/7 customer service, but it’s so user-friendly, you may never need it. You also get the added convenience of features such as Trusted Networks, Ping Tests, Favorite Servers, and more. It’s no wonder that more than 10,000,000 worldwide users trust the protection of KeepSolid VPN.A VPN Special review sums up the benefits perfectly:”KeepSolid VPN Unlimited offers amazing services and its advanced features make it a solid VPN service provider.”Don’t pass up this chance to get a lifetime of powerful protection to keep you safe online anywhere in the world. Get KeepSolid VPN Lifetime with 5 Devices + $30 Store Credit today while it’s available for only $39.99, an 80% discount off the usual $199 price.

    ZDNet Recommends More

  • in

    T-Mobile hack: Everything you need to know

    T-Mobile, one of the biggest telecommunications companies in the US, was hacked nearly two weeks ago, exposing the sensitive information of more than 50 million current, former and prospective customers.Names, addresses, social security numbers, driver’s licenses and ID information for about 48 million people were accessed in the hack, which initially came to light on August 16. Here’s everything we know so far. What is T-Mobile?T-Mobile is a subsidiary of German telecommunications company Deutsche Telekom AG providing wireless voice, messaging and data services to customers in dozens of countries. In the US, the company has more than 104 million customers and became the second largest telecommunications company behind Verizon after its $26 billion merger with Sprint in 2018. How many people are affected by the hack?T-Mobile released a statement last week confirming that the names, dates of birth, social security numbers, driver’s licenses, phone numbers, as well as IMEI and IMSI information for about 7.8 million customers had been stolen in the breach.Another 40 million former or prospective customers had their names, dates of birth, social security numbers and driver’s licenses leaked. 

    More than 5 million “current postpaid customer accounts” also had information like names, addresses, date of births, phone numbers, IMEIs and IMSIs illegally accessed. T-Mobile said another 667,000 accounts of former T- Mobile customers had their information stolen alongside a group of 850,000 active T-Mobile prepaid customers, whose names, phone numbers and account PINs were exposed. The names of 52,000 people with Metro by T-Mobile accounts may also have been accessed, according to T-Mobile. Who attacked T-Mobile?A 21-year-old US citizen by the name of John Binns told The Wall Street Journal and Alon Gal, co-founder of cybercrime intelligence firm Hudson Rock, that he is the main culprit behind the attack. His father, who died when he was two, was American and his mother is Turkish. He and his mother moved back to Turkey when Binns was 18.How did the attack happen?Binns, who was born in the US but now lives in Izmir, Turkey, said he conducted the attack from his home. Through Telegram, Binns provided evidence to the Wall Street Journal proving he was behind the T-Mobile attack and told reporters that he originally gained access to T-Mobile’s network through an unprotected router in July. According to the Wall Street Journal, he had been searching for gaps in T-Mobile’s defenses through its internet addresses and gained access to a data center near East Wenatchee, Washington where he could explore more than 100 of the company’s servers. From there, it took about one week to gain access to the servers that contained the personal data of millions. By August 4 he had stolen millions of files. “I was panicking because I had access to something big. Their security is awful,” Binns told the Wall Street Journal. “Generating noise was one goal.”Binns also spoke with Motherboard and Bleeping Computer to explain some dynamics of the attack. He told Bleeping Computer that he gained access to T-Mobile’s systems through “production, staging, and development servers two weeks ago.” He hacked into an Oracle database server that had customer data inside.To prove it was real, Binns shared a screenshot of his SSH connection to a production server running Oracle with reporters from Bleeping Computer. They did not try to ransom T-Mobile because they already had buyers online, according to their interview with the news outlet.In his interview with Motherboard, he said he had stolen the data from T-Mobile servers and that T-Mobile managed to eventually kick him out of the breached servers, but not before copies of the data had already been made. On an underground forum, Binns and others were found selling a sample of the data with 30 million social security numbers and driver licenses for 6 Bitcoin, according to Motherboard and Bleeping Computer. T-Mobile CEO Mike Sievert explained that the hacker behind the attack “leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods to make their way into other IT servers that included customer data.” “In short, this individual’s intent was to break in and steal data, and they succeeded,” Sievert said.Binns claimed he stole 106GB of data but it is unclear whether that is true. Why did Binns do it?The 21-year-old Virginia native told the Wall Street Journal and other outlets that he has been targeted by US law enforcement agencies for his alleged involvement in the Satori botnet conspiracy. He claims US agencies abducted him in Germany and Turkey and tortured him. Binns filed a lawsuit in a district court against the FBI, CIA and Justice Department in November where he said he was being investigated for various cybercrimes and for allegedly being part of the Islamic State militant group, a charge he denies.”I have no reason to make up a fake kidnapping story and I’m hoping that someone within the FBI leaks information about that,” he explained in his messages to the Wall Street Journal.The lawsuit includes a variety of claims by Binns that the CIA broke into his homes and wiretapped his computers as part of a larger investigation into his alleged cybercrimes. He filed the suit in a Washington DC District Court. Before he was officially identified, Binns sent Gal a message that was shared on Twitter. “The breach was done to retaliate against the US for the kidnapping and torture of John Erin Binns (CIA Raven-1) in Germany by CIA and Turkish intelligence agents in 2019. We did it to harm US infrastructure,” the message said, according to Gal.Was Binns alone in conducting the attack?He would not confirm if the data he stole has already been sold or if someone else paid him to hack into T-Mobile in his interview with The Wall Street Journal. While Binns did not explicitly say he worked with others on the attack, he did admit that he needed help in acquiring login credentials for databases inside T-Mobile’s systems.Some news outlets have reported that Binns was not the only person selling the stolen T-Mobile data. When did T-Mobile discover the attack?The Wall Street Journal story noted that T-Mobile was initially notified of the breach by a cybersecurity company called Unit221B LLC, which said their customer data was being marketed on the dark web. T-Mobile told ZDNet on August 16 that it was investigating the initial claims that customer data was being sold on the dark web and eventually released a lengthy statement explaining that while the hack did not involve all 100 million of their customers, at least half had their information involved in the hack.   Is law enforcement involved?T-Mobile CEO Mike Sievert said on August 27 that he could not share more information about the technical details of the attack because they are “actively coordinating with law enforcement on a criminal investigation.” It is unclear what agencies are working on the case and T-Mobile did not respond to questions about this. What is T-Mobile doing about the hack?Sievert explained that the company hired Mandiant to conduct an investigation into the incident.”As of today, we have notified just about every current T-Mobile customer or primary account holder who had data such as name and current address, social security number, or government ID number compromised,” he said in a statement  T-Mobile will also put a banner on the MyT-Mobile.com account login page of others letting them know if they were not affected by the attack. Sievert admitted that the company is still in the process of notifying former and prospective customers, millions of whom also had their information stolen. In addition to offering just two years of free identity protection services with McAfee’s ID Theft Protection Service, T-Mobile said it was recommending customers sign up for “T-Mobile’s free scam-blocking protection through Scam Shield.”The company will also be offering “Account Takeover Protection” to postpaid customers, which they said will make it more difficult for customer accounts to be fraudulently ported out and stolen. They urged customers to reset all passwords and PIN numbers as well. Sievert also announced that T-Mobile had signed “long-term partnerships” with Mandiant and KPMG LLG to beef up their cybersecurity and give the telecommunications giant the “firepower” needed to improve their ability to protect customers from cybercriminals. “As I previously mentioned, Mandiant has been part of our forensic investigation since the start of the incident, and we are now expanding our relationship to draw on the expertise they’ve gained from the front lines of large-scale data breaches and use their scalable security solutions to become more resilient to future cyber threats,” Sievert added. “They will support us as we develop an immediate and longer-term strategic plan to mitigate and stabilize cybersecurity risks across our enterprise. Simultaneously, we are partnering with consulting firm KPMG, a recognized global leader in cybersecurity consulting. KPMG’s cybersecurity team will bring its deep expertise and interdisciplinary approach to perform a thorough review of all T-Mobile security policies and performance measurement. They will focus on controls to identify gaps and areas of improvement.” Both Mandiant and KPMG will work together to sketch out a plan for T-Mobile to address its cybersecurity gaps in the future. Has this happened to T-Mobile before?No attack of this size has hit T-Mobile before, but the company has been attacked multiple times. Before the attack two weeks ago, the company had announced four data breaches in the last three years. The company disclosed a breach in January after incidents in August 2018, November 2019, and March 2020.The investigation into the January incident found that hackers accessed around 200,000 customer details such as phone numbers, the number of lines subscribed to an account, and, in some cases, call-related information, which T-Mobile said it collected as part of the normal operation of its wireless service.The previous breaches included a March 2020 incident where T-Mobile said hackers gained access to both its employees’ and customers’ data, including employee email accounts, a November 2019 incident where T-Mobile said it “discovered and shut down” unauthorized access to the personal data of its customers, and an August 2018 incident where T-Mobile said hackers gained access to the personal details of 2 million of its customers.Before it merged with T-Mobile in 2020, Sprint also disclosed two security breaches in 2019 as well, one in May and a second in July.What happens now?Binns has not said if he has sold the data he stole, but he told Bleeping Computer that there were already multiple prospective buyers.  More

  • in

    Cloudflare says it stopped the largest DDoS attack ever reported

    Cloudflare said it’s system managed to stop the largest reported DDoS attack in July, explaining in a blog post that the attack was 17.2 million requests-per-second, three times larger than any previous one they recorded. Cloudflare’s Omer Yoachimik explained in a blog post that the company serves over 25 million HTTP requests per second on average in 2021 Q2, illustrating the enormity of the attack. He added that the attack was launched by a botnet that was targeting a financial industry customer of Cloudflare. It managed to hit the Cloudflare edge with over 330 million attack requests within seconds, he said. 
    Cloudflare
    “The attack traffic originated from more than 20,000 bots in 125 countries around the world. Based on the bots’ source IP addresses, almost 15% of the attack originated from Indonesia and another 17% from India and Brazil combined. Indicating that there may be many malware infected devices in those countries,” Yoachimik said. “This 17.2 million rps attack is the largest HTTP DDoS attack that Cloudflare has ever seen to date and almost three times the size of any other reported HTTP DDoS attack. This specific botnet, however, has been seen at least twice over the past few weeks. Just last week it also targeted a different Cloudflare customer, a hosting provider, with an HTTP DDoS attack that peaked just below 8 million rps.”Yoachimik noted that two weeks before that, a Mirai-variant botnet “launched over a dozen UDP and TCP based DDoS attacks that peaked multiple times above 1 Tbps, with a max peak of approximately 1.2 Tbps.” Cloudflare customers — including a gaming company and a major APAC-based telecommunications and hosting provider — are being targeted with attacks on both the Magic Transit and Spectrum services as well as the WAF/CDN service. 

    According to Yoachimik, the Mirai botnet generated a significant volume of attack traffic despite shrinking to about 28,000 after starting with about 30,000 bots. “These attacks join the increase in Mirari-based DDoS attacks that we’ve observed on our network over the past weeks. In July alone, L3/4 Mirai attacks increased by 88% and L7 attacks by 9%,” Yoachimik said. “Additionally, based on the current August per-day average of the Mirai attacks, we can expect L7 Mirai DDoS attacks and other similar botnet attacks to increase by 185% and L3/4 attacks by 71% by the end of the month.”

    Tyler Shields, CMO at JupiterOne, called the 17.2 million attack “significant” and told ZDNet that the ability for a DDoS attack to reach that level of bandwidth exhaustion means that there is a significant backend infrastructure of either compromised hosts or hosts that have been scaled up with the sole purpose of sending malicious traffic. “The only other way to achieve these levels of bandwidth is to couple an enormous infrastructure with some kind of packet amplification technique. Either way, this is a meaningful attack that was not generated by a random attacker. This groups likely large, well funded, and dedicated,” Shields said. Howard Ting, CEO at Cyberhaven, added that DDoS attacks are a growing problem and one that we should expect to see more of. He noted that botnets, such as Mirai that launched the attack, heavily rely on compromised IoT devices and other unmanaged devices. “As the number of these devices grows, so too does the potential army for DDoS attacks,” Ting said.
    Cloudflare
    Yoachimik said their autonomous edge DDoS protection system detected the 17.2 million attack and noted that their system is powered by a software-defined denial of service daemon they call dosd.”A unique dosd instance runs in every server in each one of our data centers around the world. Each dosd instance independently analyzes traffic samples out-of-path. Analyzing traffic out-of-path allows us to scan asynchronously for DDoS attacks without causing latency and impacting performance,” Yoachimik said.  “DDoS findings are also shared between the various dosd instances within a data center, as a form of proactive threat intelligence sharing. Once an attack is detected, our systems generate a mitigation rule with a real-time signature that matches the attack patterns. The rule is propagated to the most optimal location in the tech stack.”  More

  • in

    Cisco says it will not release software update for critical 0-day in EOL VPN routers

    Cisco announced recently that it will not be releasing software updates for a vulnerability with its Universal Plug-and-Play (UPnP) service in Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers.The vulnerability allows unauthenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly, resulting in a denial of service (DoS) condition.”This vulnerability is due to improper validation of incoming UPnP traffic. An attacker could exploit this vulnerability by sending a crafted UPnP request to an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system or cause the device to reload, resulting in a DoS condition,” Cisco said in a statement. “Cisco has not released software updates that address this vulnerability. There are no workarounds that address this vulnerability.”The vulnerability only affects the RV Series Routers if they have UPnP configured but the UPnP service is enabled by default on LAN interfaces and disabled by default on WAN interfaces.The company explained that to figure out if the UPnP feature is enabled on the LAN interface of a device, users should open the web-based management interface and navigate to Basic Settings > UPnP. If the Disable check box is unchecked, UPnP is enabled on the device.Cisco said that while disabling the affected feature has been proven successful in some test environments, customers should “determine the applicability and effectiveness in their own environment and under their own use conditions.” 

    They also warned that any workaround or mitigation might harm how their network functions or performs. Cisco urged customers to migrate to the Cisco Small Business RV132W, RV160, or RV160W Routers.The vulnerability and Cisco’s notice caused a minor stir among IT leaders, some of whom said exploiting it requires the threat actor to have access to an internal network, which can be gained easily through a phishing email or other methods. Jake Williams, CTO at BreachQuest, added that once inside, a threat actor could use this vulnerability to easily take control of the device using an exploit. “The vulnerable devices are widely deployed in smaller business environments. Some larger organizations also use the devices for remote offices. The vulnerability lies in uPnP, which is intended to allow dynamic reconfiguration of firewalls for external services that need to pass traffic inbound from the Internet,” Williams told ZDNet. “While uPnP is an extremely useful feature for home users, it has no place in business environments. Cisco likely leaves the uPnP feature enabled on its small business product line because those environments are less likely to have dedicated support staff who can reconfigure a firewall as needed for a product. Staff in these environments need everything to ‘just work.’ In the security space, we must remember that every feature is also additional attack surface waiting to be exploited.” Williams added that even without the vulnerability, if uPnP is enabled, threat actors inside the environment can use it to open ports on the firewall, allowing in dangerous traffic from the Internet. “Because the vulnerable devices are almost exclusively used in small business environments, with few dedicated technical support staff, they are almost never updated,” he noted.Vulcan Cyber CEO Yaniv Bar-Dayan said UPnP is a much-maligned service used in the majority of internet connected devices, estimating that more than 75% of routers have UPnP enabled. While Cisco’s Product Security Incident Response Team said it was not aware of any malicious use of this vulnerability so far, Bar-Dayan said UPnP has been used by hackers to take control of everything from IP cameras to enterprise network infrastructure. Other experts, like nVisium senior application security consultant Zach Varnell, added that it’s extremely common for the devices to rarely — or never — receive updates. “Users tend to want to leave well enough alone and not touch a device that’s been working well — including when it needs important updates. Many times, users also take advantage of plug-and-play functionality, so they do very little or zero configuration changes, leaving the device at its default status and ultimately, vulnerable,” Varnell said. New Net Technologies global vice president of security research Dirk Schrader added that while UPnP is one of the least known utilities to average consumers, it is used broadly in SOHO networking devices such as DSL or cable router, WLAN devices, even in printers. “UPnP is present in almost all home networking devices and is used by device to find other networked devices. It has been targeted before, and one of the big botnets, Mirai, relied heavily on UPnP. Given that the named Cisco devices are placed in the SOHO and SMB segment, the owners are most likely not aware of UPnP and what it does,” Schrader said. “That and the fact that no workaround or patch are available yet is a quite dangerous combination, as the installed base is certainly not small. Hope can be placed on the fact the — by default — UPnP is not enabled on the WAN interfaces of the affected Cisco device, only on the LAN side. As consumers are not likely to change that, for this vulnerability to be exploited, attackers seem to need a different, already established footprint within the LAN. But attackers will check the vulnerability and see what else can be done with it.” More