Robin’s Newsletter #238

This week

Account details for 200 million Twitter users posted online

• A dataset containing the usernames and email addresses of 200 million Twitter accounts is being circulated online. Twitter is yet to comment on the situation. The data may have been taken during a previous incident.
• The data is consistent with being stolen through an API vulnerability present from June 2021 through January 2022. The issue allowed attackers to iterate through, submitting contact information and receiving the matching user accounts for email addresses and telephone numbers.
• Troy Hunt, who runs the HaveIBeenPwnd service, said it was the first ‘seven-figure’ breach notification he has sent, affecting over 1 million of his 4.4 million breach notification subscribers.

“…because so much of this was already out there, I don’t think this is going to be an incident that has a long tail in terms of impact. But it may de-anonymize people.” — Troy Hunt, HaveIBeenPwnd.

• It’s the de-anonymisation that will be of greatest concern, and potential harm, to users. Twitter has previously acknowledged this risk as a result of the API vulnerability.

theguardian.com, arstechnica.com

Chinese researchers say they can break 2048-bit RSA encryption

• A paper published by 24 Chinese researchers hypothesises that they may be able to break 2048-bit RSA encryption with a 372-qubit quantum computer; however, the paper hasn’t been peer-reviewed (or classified by the Chinese government!) and doesn’t describe how methods for overcoming scaling issues. Previous estimates suggested 20 million qubits would be necessary, while IBM’s Osprey quantum computer is a 433-qubit machine. schneier.com

Turla is co-opting old malware for its campaigns, says Mandiant 

• Mandiant says that the Russian-linked Turla group has registered old domains and used a decade-old version of the Andromeda malware to hide its campaign against Ukrainian targets. cyberscoop.com

Cybercriminals stole $272 million from Ray-Ban-manufacturer in 2019

• EMTC, the Thai manufacturing subsidiary of Ray-Ban sunglasses owner EssilorLuxottica, is being allowed to sue JP Morgan Chase Bank by a New York federal judge over $272 million of fraudulent transactions. EMTC says that JPM failed to notify it of accounts going overdrawn and allowing payments well in excess of its $10 million daily limit, while cybercriminals made 243 fraudulent payments in 2019. The bank says EMCT didn’t detect the fraud over the four months, questioning how they had failed to account for the missing quarter billion dollars. It seems there were process and financial control failures on both sides. theregister.com

Police incorrectly arrest suspect after relying on facial recognition over height, weight

• DeKalb County, Georgia Police arrested a Black man and held him in jail for a week, relying on an incorrect facial recognition match, even though the man was of a different height and weight to the suspect. arstechnica.com

Interesting stats

Ransomware in the US public sector: 105 counties,  44 universities and colleges,  45 school districts, and  24 healthcare providers (operating 289 hospitals) were affected by ransomware in 2022, according to Emisoft and based on public statements. The real numbers may be higher. bleepingcomputer.com

Other newsy bits / in brief

Attacks, incidents & breaches

• Cybercriminals stole the personal information of almost 269,752 patients in a cyberattack against Lake Charles Memorial Health System in October 2022. Hive ransomware group claimed responsibility for the data breach, which included contact and identity information but no medical records. therecord.media
• The Housing Authority of the City of Los Angeles (HACLA), which administer a budget of $1 billion and provide housing to 19,000 families, are being ransomed by LockBit ransomware group. therecord.media
• LockBit has also ‘formally apologised’ over an affiliate who targeted Toronto children’s hospital, SickKids, just before Christmas. theregister.com
• Pass interference: EA says a “data storage issue” corrupted save games of Madden NFL 23 who logged on to play over 28th-29th December, and that it doesn’t expect to recover 60% of the affected player save games. arstechnica.com
• Airline loyalty programme Flying Blue, whose members include KLM and Air France, is warning customers to change their passwords following a data breach. The potentially compromised data includes names, contact information, balances and transactions related to frequent flyer miles. bleepingcomputer.com
• The Twitter accounts of *Piers Morgan, UK education secretary Gillian Keegan and Northern Ireland secretary Chris Heaton-Harris were taken over theguardian.com (PM), theguardian.com (GK), theguardian.com (CHH)
• The Port of Lisbon suffered a cyberattack on Christmas Day though operational activity was not compromised. therecord.media
• Access tokens for Slack employees were stolen and used to gain access to private GitHub repositories. The company’s notification says the repositories did not contain or allow access to customer data. bleepingcomputer.com
• Rackspace has provided an update on the Play ransomware attack it suffered in December. The update says that less than 5% of its customers have downloaded the backups it has made available and that the threat actor accessed the Personal Storage Table (PST) files of 27 hosted exchange customers. Rackspace’s CSO, Karen O’Reilly-Smith, blamed the access on a zero-day exploit in Outlook Web Access, CVE-2022-41080. theregister.com

Threat intel

• Palo Alto Networks says a South African group called Automated Libra has been using free cloud services and a CAPTCHA-solving system to create fake GitHub accounts. Interestingly, the CAPTCHA bypass appears pretty trivial: the lowest red channel ‘skewness’ of the images is a reliable indicator of the correct image. bleepingcomputer.com
• The SpyNote Android trojan has started targeting online banking apps, stealing usernames and passwords for bank accounts, says researchers at ThreatFabric. The group’s campaigns use phishing campaigns to promote spoofed legitimate banking apps, with ‘hundreds’ of victims being snared each week since October 2022. zdnet.com

Vulnerabilities

• Synology’s internal product security team has identified a ‘perfect 10’ vulnerability in its VPN Plus Server software. CVE-2022-43931 is an out-of-bounds write vulnerability that could allow attackers to execute arbitrary commands. bleepingcomputer.com
• There is a “pre-authentication buffer overflow security vulnerability” in seven models of Netgear router. CVE-2022-48196 has a CVSS score of 7.4, and Netgear ‘strongly recommends’ updating the firmware ‘as soon as possible’. therecord.media, netgear.com
• Zoho is urging customers to patch an SQL injection vulnerability in the company’s Password Manager Pro, PAM360 and Access Manager Plus privileged access management solutions. CVE-2022-47523 is rated high, rather than critical, as it is only accessible to authenticated users. bleepingcomputer.com
• Dridex malware appears to be testing a version capable of exploiting macOS devices, says Trend Micro. theregister.com

Security engineering

• CircleCI says that all customers should rotate their secrets following a security breach at the CI/CD platform. techcrunch.com
• Dependency confusion: PyTorch framework nightly builds between 25th-30th December unwittingly included a malicious version of the torchtriton dependency. The malware exfiltrated usernames and details from hosts, passwd, .gitconfig and .ssh files, amongst others, in the user’s home directory. An unnamed researcher has claimed responsibility, saying it “was not intended to be malicious”, that they “could have done a better job to not send all of the user’s data”, and that they have deleted data they received. theregister.com

Operational technology

• Canada’s Copper Mountain Mining Corporation has switched to manual processes and shut down mills after a ransomware attack. therecord.media

Internet of Things

• Samsung plans to secure your smart home. Knox Matrix, announced at CES this week, will centre around a ‘private blockchain of trusted devices’. Samsung smart devices will be the first to make use, but an open API is planned and will be available later in 2023. zdnet.com

Privacy

• The Irish Data Protection Commission (DPC) is to fine Meta €390 million ($414 million) for GDPR violations dating back to the regulation’s introduction in 2018, following a ruling of the European Data Protection Board (EDPB) in December that overturned the DPC’s decision. In a twist, though, the DPC also announced it intends to file for the annulment of portions of the EDPB’s binding decision. The case revolves around using contractual, rather than explicit, user consent for advertising and tracking purposes. theregister.com
• Google has settled a location tracking lawsuit with the states of Indiana and Washington DC for $29.5 million. The search giant admitted no wrongdoing as part of the settlement. It’s over the same issues that Google settled collectively with 40 other states for $391.5 million in November last year (vol. 5, iss. 47). theregister.com

Public policy

• TikTok banned from House of Representatives devices citing “security risks” and a Chief Administrative Office assessment that it “actively harvests” biometric data therecord.media
• Vincent Strubel has been appointed as the chief of France’s national cyber security agency. therecord.media

Regulatory

• Federal Communication Commission chair Jessica Rosenworcel says that telco “data breach rules are 15 years old” and that updates to these regulations are coming. bleepingcomputer.com

Law enforcement

• Ukraine’s Cyber Police Department have shut down a scam call centre operating out of Dnipro. The 37 call centre operators have targeted around 18,000 Kazakhstan citizens. therecord.media
• Zack Whittaker and Carly Page have a round-up of high-profile cybercriminals arrested in 2022. techcrunch.com

And finally

• Video: A physical data breach in the municipality of Ditsobotla, South Africa, where taxpayer files were strewn across the streets of Lichtenburg over a dispute between authorities and contractors. @helenzille, sowetanliva.co.za