Robin’s Newsletter #227

23 October 2022. Volume 5, Issue 43
Microsoft leaves 2.4TB of 'business transaction data' in public Azure bucket. Head of Germany's cyber agency suspended for links to Russian intelligence. Optus unilaterally blocks data breach victim's passports.
Join hundreds of subscribers who get this first, every Sunday. Subscribe

This week

Misconfiguration exposes Microsoft customer data

Microsoft confirmed that it had misconfigured an Azure blob storage bucket this week, leaving the contents open to anyone on the Internet. The misconfiguration was discovered and reported by SOCRadar, which touts a solution to detecting such issues.

SOCRadar claims it found six such buckets that exposed 2.4TB of ‘business transaction data’ between Microsoft and 150,000 customers and partners from 123 countries. The details included names, email addresses and message content, purchase orders, statements of work and other such commercial records collected over the last five years.

In a short blog post, Microsoft downplayed the exposure, calling it an “issue” and asserting that it secured the endpoint quickly. The words ‘breach’ or ‘incident’ are notably absent from the post, while ire was directed at SOCRadar for indexing the data and making it available via a search engine.

Microsoft has written to affected customers, but some were disappointed that the company was unable (or unwilling) to provide further details on exactly what data of theirs was exposed.

Both parties could have handled their disclosures better: SOCRadar’s pimps their solution, while Microsoft’s lacked detail and tried to reframe the events.

Perhaps a detailed write-up will follow, identifying the root cause and improvements made. We all make mistakes, but you expect vendors to configure their products correctly.

Interesting stats

40% of UK crime is fraud, says justice committee chair, Sir Bob Neil MP, while only  2% of police funding is dedicated to combatting it, and just  380/20,000 of new officers expected to be recruited by 2023 will be dedicated to tackling fraud

Other newsy bits / in brief

  • Optus has left some victims of its data breach unable to verify their identities for welfare payments after the company asked the Australian federal government to block affected passport numbers from the country’s national Document Verification System

  • Arne Schönbohm, president of Germany’s Federal Office for Information Security (BSI), has been suspended following allegations he is linked with Russian intelligence

  • Interesting read from Kelley Dwyer for Lawfare on the fallout from the recent Uber ‘data breach cover up’ case (vol. 5, iss. 41) and posing questions to the Department of Justice over the circumstances that these charges may, or may not, be brought in other cases

Attacks, incidents & breaches

  • Pro-Russian group Killnet has claimed responsibility for a distributed denial of service (DDOS) attack against Bulgarian government websites. The group is said to have briefly taken the website of the presidential administration, Defense, Interior and Justice ministries offline for “betrayal” of Russia
  • Verizon has warned prepaid customers that attacked gain access to their accounts. The number of affected customers was not disclosed, but the attacker may have accessed names, telephone numbers, billing addresses, priced plans, and the last four digits of payment cards. The latter appears to be linked to how the attacks gained access to the accounts, some of which had ‘SIM swaps’ initiated that would allow the rerouting of one-time codes sent via text message
  • A fishing vessel, rather than sabotage, is believed to be the cause of damage to a cable supplying the Internet to the Shetland Islands after another cable was also accidentally damaged earlier this week. The outage is causing problems not just with internet access and making voice calls but also with point-of-sale terminals and ATMs
  • 323 residential and small business customers of EnergyAustralia have had their data affected by unauthorised access to the company’s My Account platform. The data includes customer names, addresses, emails, phone numbers, bills and the last three digits of their payment cards

Threat intel

  • As ‘double-extortion’ attacks rise, ransomware groups are working on new tooling that allows them to exfiltrate stolen data more quickly to services like Mega
  • Norway’s cyber security and counterintelligence agencies are working closely to combat Russian threats to the oil and gas industry and following recent arrests of seven Russian nationals in connection to drone flights over energy facilities
  • US CISA issues alert over Daixin Team ransomware attacks predominantly focussed on US healthcare organisations
  • Uptick in exploits of VMWare Workspace ONE Access vulnerability CVE-2022-22954, which was patched in April this year, to infect vulnerable devices with a collection of cryptocurrency mining and ransomware malware, says Fortinet
  • ‘Text4Shell’ vulnerability (CVE-2022-42889) in the Apache Commons Text library scores 9.8/10, but requires specific application development practices and uncommon configurations to exploit


  • Clearview AI has been fined €20 million by France’s data protection regulator (CNIL) for illegally collecting and processing biometric data of French citizens


  • New cyber directive for US freight and passenger railroad companies issued by the Transportation Security Administration (TSA). The rules come into force this coming week and will last one year while consulting on the enduring requirements. Railroad companies will be required to develop network segmentation and access control approaches, implement detection controls and more frequently patch hardware and software
  • Insurance company EyeMed was fined $4.5 million for violating New York State’s Department of Financial Services cyber regulations. The transgression occurred back in 2020 when an attacker gained access to a shared mailbox used to process new customer enrolments 

Law enforcement

  • Brazilian police say they have arrested alleged members of the Lapsus$ group on charges relating to operating a criminal organisation, computer intrusions, money laundering and corruption of minors
  • Europol has arrested 31 people who were using a ‘fraudulent tool’ to “connect to the car they wish to steal to open the doors and drive off”

Mergers, acquisitions and investments

  • NTT Communications and Denso (part of Toyota) have announced a partnership to create a ‘Security Operations Centre for Vehicles’

  Robin's Newsletter - Volume 5

  Microsoft Data breach Cybercrime Fraud Action Fraud Uber Optus Identity Federal Office for Information Security (BSI) Clearview AI Lapsus$