Information Technology

Bangkok Airways has apologized for a data breach involving passport information and other personal data in a statement to customers. The company said that it discovered a “cybersecurity attack which resulted in unauthorized and unlawful access to its information system” on August 23. 

ZDNet Recommends

Also: T-Mobile hack: Everything you need to knowThe statement said the company is “deeply sorry for the worry and inconvenience that this malicious incident has caused.”Bangkok Airways did not respond to requests for comment from ZDNet about how many customers were involved in the breach or what timeframe the data came from, but in its statement the company said an investigation revealed that the names, nationalities, genders, phone numbers, emails, addresses, contact information, passport information, historical travel information, partial credit card information and special meal information for passengers of the airline had been accessed. The company said it is still conducting an investigation into the attack and is working on strengthening its IT system as it identifies potential victims. The attackers were not able to affect Bangkok Airways’ operational or aeronautical security systems, according to the statement, and the Royal Thai police have been notified of the incident.

“For primary prevention measures, the company highly recommends passengers to contact their bank or credit card provider and follow their advice and change any compromised passwords as soon as possible,” the company said. “In addition to that, the company would like to caution passengers to be aware of any suspicious or unsolicited calls and/or emails, as the attacker may be claiming to be Bangkok Airways and attempt to gather personal data by deception (known as ‘phishing’).” They urged customers to contact the police or take legal action if they get any notices purporting to be from Bangkok Airways asking for credit card details or other information. The announcement, which was released on Friday, coincided with a notice from the LockBit ransomware group that said it was planning to release 103 GB of compressed files that it claimed was stolen from Bangkok Airways. A screenshot of the LockBit ransomware data leak site. 
DarkTracer
The group said it would release the data on August 30, but in the past they have extended deadlines or reneged on threats to release data. LockBit operators faced criticism weeks ago when they threatened to leak data that they said was stolen from billion-dollar tech services company Accenture. They repeatedly pushed back the deadline before Accenture came forward to dismiss claims that any significant data was taken. The Australian Cyber Security Centre released an advisory in early August noting that the LockBit ransomware group had relaunched after a brief dip in activity and has ramped up attacks. Members of the group are actively exploiting existing vulnerabilities in the Fortinet FortiOS and FortiProxy products identified as CVE-2018-13379 in order to gain initial access to specific victim networks, the advisory said. “The ACSC is aware of numerous incidents involving LockBit and its successor ‘LockBit 2.0′ in Australia since 2020. The majority of victims known to the ACSC have been reported after July 2021, indicating a sharp and significant increase in domestic victims in comparison to other tracked ransomware variants,” the release added. “The ACSC has observed LockBit affiliates successfully deploying ransomware on corporate systems in a variety of sectors including professional services, construction, manufacturing, retail and food.” In June, the Prodaft Threat Intelligence team published a report examining LockBit’s RaaS structure and its affiliates’ proclivity toward buying Remote Desktop Protocol access to servers as an initial attack vector. “Commercial and professional services as well as the transportation sector are also highly targeted by the LockBit group,” Prodaft said.Those who believe they may have been affected by the attack are urged to contact infosecurity@bangkokair.com for more information. More

Singapore has underscored the need for 5G networks to to remain secured and resilient, as well as for use cases to be developed and tested so the ecosystem can thrive. Its calls come as local telco Singtel announces new customer trials running on its standalone 5G network, including in logistics and manufacturing.   Designed fundamentally different from previous generations, which were primarily based on hardware, 5G systems were software-driven. This architectural change could create new potential security vulnerabilities, according to Singapore’s Minister for Communications and Information Josephine Teo. 

“As we expand the adoption of 5G, we must be mindful of the potential for new cyber risks,” Teo said Monday in a speech broadcast during Singtel’s virtual event, which featured new trials the telco was running on its 5G standalone network. “Digital infrastructure must be secure. Consumers and businesses must have confidence that our 5G networks are resilient,” she said. “It is important to uphold Singapore’s reputation as a trusted player, here and abroad.”She noted that Infocomm Media Development Authority (IMDA) had stressed the importance of “security and resilience” as regulatory priorities. The industry regulator last year announced a 5G security testbed initiative, in which IMDA worked alongside telcos to boost their security posture and capabilities, Teo said. She added that local telcos had “committed to adopt” a zero-trust security posture, which meant they would have to verify all activities before these were trusted. Carriers also would have to implement constant monitoring and be vigilant for suspicious activities, the minister said. She suggested telcos could further tap global market opportunities if they were able to differentiate their services in the 5G cybersecurity segment. 

In particular, they would need to play their role in driving the local ecosystem and adoption of 5G, she said. “Imagine an appstore with no apps for us to download. Likewise, 5G infrastructure itself cannot deliver magic without actual use cases being developed, tested, and scaled up,” Teo said. Singtel Group CEO Yuen Kuan Moon pointed to 5G’s potential to “transform” business models and drive the development of new products and services, including stimulating new growth to “reinvigorate” the Singapore telco’s own core business.  Yuen said the combination of Internet of Things (IoT) and artificial intelligence (AI) would provide for more intelligent connectivity, delivering new value proposition for organisations and consumers. For enterprises, in particular, he touted Singtel’s MEC (Multi-access Edge Computing) platform as the vehicle to develop new applications such as smart city planning and 5G-powered e-racing. Singtel today announced it was working with virtual car racing operator, Formula Square, to test 5G-powered experience of racing remote-controlled cars at Sentosa. Use cases that tap key 5G benefitsAsked if the telco was focusing on key verticals in running 5G pilots, Singtel’s vice president for 5G enterprise and cloud Dennis Wong said potential use cases cut across multiple sectors including manufacturing, logistics, financial services, and retail. Some functionalities and applications saw quicker adoption than others, such as drones and autonomous vehicles, where regulatory issues still were evolving and the ecosystems were less matured. These would require more time before 5G adoption would pick up, Wong said in an interview with ZDNet. Some applications such as video analytics were seeing high interest as these were easily realised and had different uses cases that could be deployed across multiple verticals, he noted. The technology, for instance, could be used in manufacturing to identify defects or in transport for security. Video streaming also could be used in the medical field. In exploring potential use cases, he said the key benefits of 5G were its ability to deliver low latency, high data speeds, and enhanced security. These then would help organisations willing to adopt the technology to identify applications they could develop and work with Singtel and its partners to do so.  Asked how many trials Singtel currently was running with its enterprise customers, Wong said the number was in “multiple tens”. He added that several others were rejected for various reasons, including a lack of value proposition and an immature ecosystem. He said the telco’s “5G network in a box” service, called Genie, also was seeing high interest, with enterprise customers requesting to extend their loan period beyond the standard two weeks. While asked, he declined to say how many of these boxes currently were in circulation. Launched in April, Genie was touted to provide a 5G network environment anywhere that had an available power source, enabling enterprises to deploy and test their applications. Tucked inside a suitcase-sized container, Genie comprised a 5G network control kit as well as a standing mount with 5G radio antenna. The box was built to work with the telco’s MEC infrastructure, which was heavily pitched today as the platform on which applications were optimised for 5G’s key features, including low latency, high bandwidth, and real-time compute capabilities at the edge, such as data analytics and AI processing. Singtel in recent months also inked  partners including Microsoft and Amazon Web Services (AWS), so enterprise customers of these hyperscalers could run their applications on the telco’s MEC and 5G infrastructures, Wong said. Yuen added that 5G and AI, along with data analytics, would be key drivers in Singapore’s digital economy post-pandemic, especially as COVID-19 had accelerated digital transformation across all industries. Powered by 5G, the ability to collect and analyse data in large volumes and in real-time would further speed up the adoption of AI and transform businesses, he said. He added that this would play out over the next one to two years as the industry began to embrace digitalisation and tap AI and 5G as the foundation of their digital transformation. According to Teo, Singapore was on track to have nationwide outdoor coverage on 5G standalone networks by 2025, with half of the island to have coverage by end-2022. Singtel’s Singapore CEO for consumer Anna Yip said the telco currently had more than 180,000 5G subscribers. RELATED COVERAGE More

StackCommerce
It’s really appalling how much of our data we give away freely to businesses that we deal with since it leaves us so vulnerable should their security be breached. Because, unfortunately, that happens far too frequently these days. It’s now imperative that we take the strongest possible measures to protect ourselves on both computers and mobile devices. Thankfully, a very affordable KeepSolid VPN Lifetime subscription will help free us from worry on up to 5 devices and you can currently get a $30 store credit if you buy one.

KeepSolid VPN not only protects you with its military-grade AES 256-bit encryption on macOS, Windows, Android and iOS devices, it even includes a kill switch and an extremely strict policy of zero-logging in order to protect your privacy. Best of all, you get all of that protection without sacrificing any of your connection speed and absolutely no limits on either your bandwidth or your speed.That means you can work or stream without any buffering. And since KeepSolid VPN has more than 400 servers around the globe, you can enjoy content anywhere you like without having to worry about geo-restrictions while accessing Netflix, BBC iPlayer, Hulu, ESPN+, HBO, and much more. You could even train for an exciting new career while traveling for business or pleasure.KeepSolid VPN offers 24/7 customer service, but it’s so user-friendly, you may never need it. You also get the added convenience of features such as Trusted Networks, Ping Tests, Favorite Servers, and more. It’s no wonder that more than 10,000,000 worldwide users trust the protection of KeepSolid VPN.A VPN Special review sums up the benefits perfectly:”KeepSolid VPN Unlimited offers amazing services and its advanced features make it a solid VPN service provider.”Don’t pass up this chance to get a lifetime of powerful protection to keep you safe online anywhere in the world. Get KeepSolid VPN Lifetime with 5 Devices + $30 Store Credit today while it’s available for only $39.99, an 80% discount off the usual $199 price.

ZDNet Recommends More

T-Mobile, one of the biggest telecommunications companies in the US, was hacked nearly two weeks ago, exposing the sensitive information of more than 50 million current, former and prospective customers.Names, addresses, social security numbers, driver’s licenses and ID information for about 48 million people were accessed in the hack, which initially came to light on August 16. Here’s everything we know so far. What is T-Mobile?T-Mobile is a subsidiary of German telecommunications company Deutsche Telekom AG providing wireless voice, messaging and data services to customers in dozens of countries. In the US, the company has more than 104 million customers and became the second largest telecommunications company behind Verizon after its $26 billion merger with Sprint in 2018. How many people are affected by the hack?T-Mobile released a statement last week confirming that the names, dates of birth, social security numbers, driver’s licenses, phone numbers, as well as IMEI and IMSI information for about 7.8 million customers had been stolen in the breach.Another 40 million former or prospective customers had their names, dates of birth, social security numbers and driver’s licenses leaked. 

More than 5 million “current postpaid customer accounts” also had information like names, addresses, date of births, phone numbers, IMEIs and IMSIs illegally accessed. T-Mobile said another 667,000 accounts of former T- Mobile customers had their information stolen alongside a group of 850,000 active T-Mobile prepaid customers, whose names, phone numbers and account PINs were exposed. The names of 52,000 people with Metro by T-Mobile accounts may also have been accessed, according to T-Mobile. Who attacked T-Mobile?A 21-year-old US citizen by the name of John Binns told The Wall Street Journal and Alon Gal, co-founder of cybercrime intelligence firm Hudson Rock, that he is the main culprit behind the attack. His father, who died when he was two, was American and his mother is Turkish. He and his mother moved back to Turkey when Binns was 18.How did the attack happen?Binns, who was born in the US but now lives in Izmir, Turkey, said he conducted the attack from his home. Through Telegram, Binns provided evidence to the Wall Street Journal proving he was behind the T-Mobile attack and told reporters that he originally gained access to T-Mobile’s network through an unprotected router in July. According to the Wall Street Journal, he had been searching for gaps in T-Mobile’s defenses through its internet addresses and gained access to a data center near East Wenatchee, Washington where he could explore more than 100 of the company’s servers. From there, it took about one week to gain access to the servers that contained the personal data of millions. By August 4 he had stolen millions of files. “I was panicking because I had access to something big. Their security is awful,” Binns told the Wall Street Journal. “Generating noise was one goal.”Binns also spoke with Motherboard and Bleeping Computer to explain some dynamics of the attack. He told Bleeping Computer that he gained access to T-Mobile’s systems through “production, staging, and development servers two weeks ago.” He hacked into an Oracle database server that had customer data inside.To prove it was real, Binns shared a screenshot of his SSH connection to a production server running Oracle with reporters from Bleeping Computer. They did not try to ransom T-Mobile because they already had buyers online, according to their interview with the news outlet.In his interview with Motherboard, he said he had stolen the data from T-Mobile servers and that T-Mobile managed to eventually kick him out of the breached servers, but not before copies of the data had already been made. On an underground forum, Binns and others were found selling a sample of the data with 30 million social security numbers and driver licenses for 6 Bitcoin, according to Motherboard and Bleeping Computer. T-Mobile CEO Mike Sievert explained that the hacker behind the attack “leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods to make their way into other IT servers that included customer data.” “In short, this individual’s intent was to break in and steal data, and they succeeded,” Sievert said.Binns claimed he stole 106GB of data but it is unclear whether that is true. Why did Binns do it?The 21-year-old Virginia native told the Wall Street Journal and other outlets that he has been targeted by US law enforcement agencies for his alleged involvement in the Satori botnet conspiracy. He claims US agencies abducted him in Germany and Turkey and tortured him. Binns filed a lawsuit in a district court against the FBI, CIA and Justice Department in November where he said he was being investigated for various cybercrimes and for allegedly being part of the Islamic State militant group, a charge he denies.”I have no reason to make up a fake kidnapping story and I’m hoping that someone within the FBI leaks information about that,” he explained in his messages to the Wall Street Journal.The lawsuit includes a variety of claims by Binns that the CIA broke into his homes and wiretapped his computers as part of a larger investigation into his alleged cybercrimes. He filed the suit in a Washington DC District Court. Before he was officially identified, Binns sent Gal a message that was shared on Twitter. “The breach was done to retaliate against the US for the kidnapping and torture of John Erin Binns (CIA Raven-1) in Germany by CIA and Turkish intelligence agents in 2019. We did it to harm US infrastructure,” the message said, according to Gal.Was Binns alone in conducting the attack?He would not confirm if the data he stole has already been sold or if someone else paid him to hack into T-Mobile in his interview with The Wall Street Journal. While Binns did not explicitly say he worked with others on the attack, he did admit that he needed help in acquiring login credentials for databases inside T-Mobile’s systems.Some news outlets have reported that Binns was not the only person selling the stolen T-Mobile data. When did T-Mobile discover the attack?The Wall Street Journal story noted that T-Mobile was initially notified of the breach by a cybersecurity company called Unit221B LLC, which said their customer data was being marketed on the dark web. T-Mobile told ZDNet on August 16 that it was investigating the initial claims that customer data was being sold on the dark web and eventually released a lengthy statement explaining that while the hack did not involve all 100 million of their customers, at least half had their information involved in the hack.   Is law enforcement involved?T-Mobile CEO Mike Sievert said on August 27 that he could not share more information about the technical details of the attack because they are “actively coordinating with law enforcement on a criminal investigation.” It is unclear what agencies are working on the case and T-Mobile did not respond to questions about this. What is T-Mobile doing about the hack?Sievert explained that the company hired Mandiant to conduct an investigation into the incident.”As of today, we have notified just about every current T-Mobile customer or primary account holder who had data such as name and current address, social security number, or government ID number compromised,” he said in a statement  T-Mobile will also put a banner on the MyT-Mobile.com account login page of others letting them know if they were not affected by the attack. Sievert admitted that the company is still in the process of notifying former and prospective customers, millions of whom also had their information stolen. In addition to offering just two years of free identity protection services with McAfee’s ID Theft Protection Service, T-Mobile said it was recommending customers sign up for “T-Mobile’s free scam-blocking protection through Scam Shield.”The company will also be offering “Account Takeover Protection” to postpaid customers, which they said will make it more difficult for customer accounts to be fraudulently ported out and stolen. They urged customers to reset all passwords and PIN numbers as well. Sievert also announced that T-Mobile had signed “long-term partnerships” with Mandiant and KPMG LLG to beef up their cybersecurity and give the telecommunications giant the “firepower” needed to improve their ability to protect customers from cybercriminals. “As I previously mentioned, Mandiant has been part of our forensic investigation since the start of the incident, and we are now expanding our relationship to draw on the expertise they’ve gained from the front lines of large-scale data breaches and use their scalable security solutions to become more resilient to future cyber threats,” Sievert added. “They will support us as we develop an immediate and longer-term strategic plan to mitigate and stabilize cybersecurity risks across our enterprise. Simultaneously, we are partnering with consulting firm KPMG, a recognized global leader in cybersecurity consulting. KPMG’s cybersecurity team will bring its deep expertise and interdisciplinary approach to perform a thorough review of all T-Mobile security policies and performance measurement. They will focus on controls to identify gaps and areas of improvement.” Both Mandiant and KPMG will work together to sketch out a plan for T-Mobile to address its cybersecurity gaps in the future. Has this happened to T-Mobile before?No attack of this size has hit T-Mobile before, but the company has been attacked multiple times. Before the attack two weeks ago, the company had announced four data breaches in the last three years. The company disclosed a breach in January after incidents in August 2018, November 2019, and March 2020.The investigation into the January incident found that hackers accessed around 200,000 customer details such as phone numbers, the number of lines subscribed to an account, and, in some cases, call-related information, which T-Mobile said it collected as part of the normal operation of its wireless service.The previous breaches included a March 2020 incident where T-Mobile said hackers gained access to both its employees’ and customers’ data, including employee email accounts, a November 2019 incident where T-Mobile said it “discovered and shut down” unauthorized access to the personal data of its customers, and an August 2018 incident where T-Mobile said hackers gained access to the personal details of 2 million of its customers.Before it merged with T-Mobile in 2020, Sprint also disclosed two security breaches in 2019 as well, one in May and a second in July.What happens now?Binns has not said if he has sold the data he stole, but he told Bleeping Computer that there were already multiple prospective buyers.  More

Cloudflare said it’s system managed to stop the largest reported DDoS attack in July, explaining in a blog post that the attack was 17.2 million requests-per-second, three times larger than any previous one they recorded. Cloudflare’s Omer Yoachimik explained in a blog post that the company serves over 25 million HTTP requests per second on average in 2021 Q2, illustrating the enormity of the attack. He added that the attack was launched by a botnet that was targeting a financial industry customer of Cloudflare. It managed to hit the Cloudflare edge with over 330 million attack requests within seconds, he said. 
Cloudflare
“The attack traffic originated from more than 20,000 bots in 125 countries around the world. Based on the bots’ source IP addresses, almost 15% of the attack originated from Indonesia and another 17% from India and Brazil combined. Indicating that there may be many malware infected devices in those countries,” Yoachimik said. “This 17.2 million rps attack is the largest HTTP DDoS attack that Cloudflare has ever seen to date and almost three times the size of any other reported HTTP DDoS attack. This specific botnet, however, has been seen at least twice over the past few weeks. Just last week it also targeted a different Cloudflare customer, a hosting provider, with an HTTP DDoS attack that peaked just below 8 million rps.”Yoachimik noted that two weeks before that, a Mirai-variant botnet “launched over a dozen UDP and TCP based DDoS attacks that peaked multiple times above 1 Tbps, with a max peak of approximately 1.2 Tbps.” Cloudflare customers — including a gaming company and a major APAC-based telecommunications and hosting provider — are being targeted with attacks on both the Magic Transit and Spectrum services as well as the WAF/CDN service. 

According to Yoachimik, the Mirai botnet generated a significant volume of attack traffic despite shrinking to about 28,000 after starting with about 30,000 bots. “These attacks join the increase in Mirari-based DDoS attacks that we’ve observed on our network over the past weeks. In July alone, L3/4 Mirai attacks increased by 88% and L7 attacks by 9%,” Yoachimik said. “Additionally, based on the current August per-day average of the Mirai attacks, we can expect L7 Mirai DDoS attacks and other similar botnet attacks to increase by 185% and L3/4 attacks by 71% by the end of the month.”

Tyler Shields, CMO at JupiterOne, called the 17.2 million attack “significant” and told ZDNet that the ability for a DDoS attack to reach that level of bandwidth exhaustion means that there is a significant backend infrastructure of either compromised hosts or hosts that have been scaled up with the sole purpose of sending malicious traffic. “The only other way to achieve these levels of bandwidth is to couple an enormous infrastructure with some kind of packet amplification technique. Either way, this is a meaningful attack that was not generated by a random attacker. This groups likely large, well funded, and dedicated,” Shields said. Howard Ting, CEO at Cyberhaven, added that DDoS attacks are a growing problem and one that we should expect to see more of. He noted that botnets, such as Mirai that launched the attack, heavily rely on compromised IoT devices and other unmanaged devices. “As the number of these devices grows, so too does the potential army for DDoS attacks,” Ting said.
Cloudflare
Yoachimik said their autonomous edge DDoS protection system detected the 17.2 million attack and noted that their system is powered by a software-defined denial of service daemon they call dosd.”A unique dosd instance runs in every server in each one of our data centers around the world. Each dosd instance independently analyzes traffic samples out-of-path. Analyzing traffic out-of-path allows us to scan asynchronously for DDoS attacks without causing latency and impacting performance,” Yoachimik said.  “DDoS findings are also shared between the various dosd instances within a data center, as a form of proactive threat intelligence sharing. Once an attack is detected, our systems generate a mitigation rule with a real-time signature that matches the attack patterns. The rule is propagated to the most optimal location in the tech stack.”  More

Cisco announced recently that it will not be releasing software updates for a vulnerability with its Universal Plug-and-Play (UPnP) service in Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers.The vulnerability allows unauthenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly, resulting in a denial of service (DoS) condition.”This vulnerability is due to improper validation of incoming UPnP traffic. An attacker could exploit this vulnerability by sending a crafted UPnP request to an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system or cause the device to reload, resulting in a DoS condition,” Cisco said in a statement. “Cisco has not released software updates that address this vulnerability. There are no workarounds that address this vulnerability.”The vulnerability only affects the RV Series Routers if they have UPnP configured but the UPnP service is enabled by default on LAN interfaces and disabled by default on WAN interfaces.The company explained that to figure out if the UPnP feature is enabled on the LAN interface of a device, users should open the web-based management interface and navigate to Basic Settings > UPnP. If the Disable check box is unchecked, UPnP is enabled on the device.Cisco said that while disabling the affected feature has been proven successful in some test environments, customers should “determine the applicability and effectiveness in their own environment and under their own use conditions.” 

They also warned that any workaround or mitigation might harm how their network functions or performs. Cisco urged customers to migrate to the Cisco Small Business RV132W, RV160, or RV160W Routers.The vulnerability and Cisco’s notice caused a minor stir among IT leaders, some of whom said exploiting it requires the threat actor to have access to an internal network, which can be gained easily through a phishing email or other methods. Jake Williams, CTO at BreachQuest, added that once inside, a threat actor could use this vulnerability to easily take control of the device using an exploit. “The vulnerable devices are widely deployed in smaller business environments. Some larger organizations also use the devices for remote offices. The vulnerability lies in uPnP, which is intended to allow dynamic reconfiguration of firewalls for external services that need to pass traffic inbound from the Internet,” Williams told ZDNet. “While uPnP is an extremely useful feature for home users, it has no place in business environments. Cisco likely leaves the uPnP feature enabled on its small business product line because those environments are less likely to have dedicated support staff who can reconfigure a firewall as needed for a product. Staff in these environments need everything to ‘just work.’ In the security space, we must remember that every feature is also additional attack surface waiting to be exploited.” Williams added that even without the vulnerability, if uPnP is enabled, threat actors inside the environment can use it to open ports on the firewall, allowing in dangerous traffic from the Internet. “Because the vulnerable devices are almost exclusively used in small business environments, with few dedicated technical support staff, they are almost never updated,” he noted.Vulcan Cyber CEO Yaniv Bar-Dayan said UPnP is a much-maligned service used in the majority of internet connected devices, estimating that more than 75% of routers have UPnP enabled. While Cisco’s Product Security Incident Response Team said it was not aware of any malicious use of this vulnerability so far, Bar-Dayan said UPnP has been used by hackers to take control of everything from IP cameras to enterprise network infrastructure. Other experts, like nVisium senior application security consultant Zach Varnell, added that it’s extremely common for the devices to rarely — or never — receive updates. “Users tend to want to leave well enough alone and not touch a device that’s been working well — including when it needs important updates. Many times, users also take advantage of plug-and-play functionality, so they do very little or zero configuration changes, leaving the device at its default status and ultimately, vulnerable,” Varnell said. New Net Technologies global vice president of security research Dirk Schrader added that while UPnP is one of the least known utilities to average consumers, it is used broadly in SOHO networking devices such as DSL or cable router, WLAN devices, even in printers. “UPnP is present in almost all home networking devices and is used by device to find other networked devices. It has been targeted before, and one of the big botnets, Mirai, relied heavily on UPnP. Given that the named Cisco devices are placed in the SOHO and SMB segment, the owners are most likely not aware of UPnP and what it does,” Schrader said. “That and the fact that no workaround or patch are available yet is a quite dangerous combination, as the installed base is certainly not small. Hope can be placed on the fact the — by default — UPnP is not enabled on the WAN interfaces of the affected Cisco device, only on the LAN side. As consumers are not likely to change that, for this vulnerability to be exploited, attackers seem to need a different, already established footprint within the LAN. But attackers will check the vulnerability and see what else can be done with it.” More

T-Mobile’s CEO has finally spoken out about the massive hack that exposed millions of customers’ sensitive information, apologizing for the leak and announcing a cybersecurity pact with Mandiant.CEO Mike Sievert on one hand sought to downplay the incident — which led to the leak of nearly 48 million social security numbers alongside other information from a total of 50 million people — by touting the fact that no financial information was lost.He also implied that the leak of social security numbers, driver’s licenses and ID information was “like so many breaches before,” but admitted that the company had failed to keep their customers’ data safe. “The last two weeks have been humbling for all of us at T-Mobile as we have worked tirelessly to navigate a malicious cyberattack on our systems. Attacks like this are on the rise and bad actors work day-in and day-out to find new avenues to attack our systems and exploit them,” Sievert said. “We spend lots of time and effort to try to stay a step ahead of them, but we didn’t live up to the expectations we have for ourselves to protect our customers. Knowing that we failed to prevent this exposure is one of the hardest parts of this event. On behalf of everyone at Team Magenta, I want to say we are truly sorry.” Sievert explained that the company hired Mandiant to conduct an investigation into the incident and said they have since closed the server entry points that gave the hacker, allegedly 21-year-old John Binns, access to T-Mobile data. He would not provide more information about the breach because they are “actively coordinating with law enforcement on a criminal investigation.” On Thursday, Binns openly took credit for the hack in an interview with the Wall Street Journal while mocking T-Mobile’s lackluster cybersecurity. 

“I was panicking because I had access to something big. Their security is awful,” Binns said, adding that he launched the attack because of his anger at US law enforcement agencies for allegedly torturing him in Germany and Turkey. Binns initially claimed he had access to the information of about 100 million customers but T-Mobile later confirmed that the names, dates of birth, social security numbers, driver’s licenses, phone numbers, as well as IMEI and IMSI information for about 7.8 million customers had been stolen in the breach. Another 40 million former or prospective customers had their names, dates of birth, social security numbers and driver’s licenses leaked. More than 5 million “current postpaid customer accounts” also had information like names, addresses, date of births, phone numbers, IMEIs and IMSIs illegally accessed. T-Mobile said another 667,000 accounts of former T- Mobile customers had their information stolen alongside a group of 850,000 active T-Mobile prepaid customers, whose names, phone numbers and account PINs were exposed. The names of 52,000 people with Metro by T-Mobile accounts may also have been accessed, according to T-Mobile.Sievert explained that the hacker behind the attack “leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods to make their way into other IT servers that included customer data.” “In short, this individual’s intent was to break in and steal data, and they succeeded,” Sievert said.”As of today, we have notified just about every current T-Mobile customer or primary account holder who had data such as name and current address, social security number, or government ID number compromised.”  T-Mobile will also put a banner on the MyT-Mobile.com account login page of others letting them know if they were not affected by the attack. Sievert admitted that the company is still in the process of notifying former and prospective customers, millions of whom also had their information stolen. In addition to offering just two years of free identity protection services with McAfee’s ID Theft Protection Service, T-Mobile said it was recommending customers sign up for “T-Mobile’s free scam-blocking protection through Scam Shield.”The company will also be offering “Account Takeover Protection” to postpaid customers, which they said will make it more difficult for customer accounts to be fraudulently ported out and stolen. They urged customers to reset all passwords and PIN numbers as well. Sievert also announced that T-Mobile had signed “long-term partnerships” with Mandiant and KPMG LLG to beef up their cybersecurity and give the telecommunications giant the “firepower” needed to improve their ability to protect customers from cybercriminals. “As I previously mentioned, Mandiant has been part of our forensic investigation since the start of the incident, and we are now expanding our relationship to draw on the expertise they’ve gained from the front lines of large-scale data breaches and use their scalable security solutions to become more resilient to future cyber threats,” Sievert added. “They will support us as we develop an immediate and longer-term strategic plan to mitigate and stabilize cybersecurity risks across our enterprise. Simultaneously, we are partnering with consulting firm KPMG, a recognized global leader in cybersecurity consulting. KPMG’s cybersecurity team will bring its deep expertise and interdisciplinary approach to perform a thorough review of all T-Mobile security policies and performance measurement. They will focus on controls to identify gaps and areas of improvement.” Both Mandiant and KPMG will work together to sketch out a plan for T-Mobile to address its cybersecurity gaps in the future. T-Mobile did not respond to requests for further comment from ZDNet. The telecom giant, which is the second largest in the US behind Verizon, has a terrible cybersecurity track record. Before the attack two weeks ago, the company had announced four data breaches in the last three years.  More

If you’re running NoSQL databases on Microsoft’s Azure cloud, chances are you’re running Cosmos DB. And, if that’s you, you’re in trouble. Even Microsoft had admitted that this newly discovered critical vulnerability, ChaosDB, enables intruders to read, change or even delete all your databases.

ZDNet Recommends

Ouch! According to the Microsoft email describing the problem to affected customers, “Microsoft has recently become aware of a vulnerability in Azure Cosmos DB that could potentially allow a user to gain access to another customer’s resources by using the account’s primary read-write key. This vulnerability was reported to us in confidence by an external security researcher. Once we became aware of this issue on 12 August 2021, we mitigated the vulnerability immediately.” That’s a good thing because according to the cloud security firm, WIZ, which uncovered the ChaosDB security hole, it “gives any Azure user full admin access (read, write, delete) to another customer’s Cosmos DB instances without authorization. The vulnerability has a trivial exploit that doesn’t require any previous access to the target environment and impacts thousands of organizations, including numerous Fortune 500 companies.” How trivial is the exploit? Very.  According to WIZ, all an attacker needs to do is exploit an easy-to-follow chain of vulnerabilities in Cosmos DB’s Jupyter Notebook. Jupyter Notebook is an open-source web application that is directly integrated with your Azure portal and Cosmos DB accounts. It allows you to create and share documents that contain live code, equations, visualizations, and narrative text. If that sounds like a lot of access to give to a web application, you’re right, it is.  As bad as that is, once you have access to the Jupyter Notebook, you can obtain the target Cosmos DB account credentials, including the databases’ Primary Key. Armed with these credentials, an attacker can view, modify, and delete data in the target Cosmos DB account in multiple ways. 

To patch this hole, you must regenerate and rotate your primary read-write Cosmos DB keys for each of the impacted Azure Cosmos DB accounts. That’s easy enough. And, Microsoft claims, while this vulnerability is bad news, you don’t have to worry that much about it. Microsoft states: We have no indication that external entities outside the researcher had access to the primary read-write key associated with your Azure Cosmos DB account(s). In addition, we are not aware of any data access because of this vulnerability. Azure Cosmos DB accounts with a vNET or firewall enabled are protected by additional security mechanisms that prevent [the] risk of unauthorized access. Out of an abundance of caution, we are notifying you to take the following actions as a precautionary measure.WIZ isn’t so optimistic. While agreeing that Microsoft’s security took immediate action to fix the problem and disabled the vulnerable feature within 48 hours of being told about ChaosDB, the researchers point out that “the vulnerability has been exploitable for months and every Cosmos DB customer should assume they’ve been exposed.” I agree. It’s far better to be safe than sorry when dealing with a security hole of this size and magnitude. Related Stories: More