This week
AT&T loses customer call and SMS records
- AT&T has lost data relating to “nearly all” of its 110 million US customers. The data does not contain the contents of calls or messages. The telco was storing call and SMS Records in the Snowflake platform, which the ShinyHunters group accessed in April of this year.
- AT&T does not believe that the breach will have a material impact on its financial position, per its SEC filing. LINK, MORE
Attackers leak 39,000 print-at-home Ticketmaster tickets
Sticking with ShinyHunters/Snowflake fallout…
- A threat actor named Sp1d3rHunters has posted details of 39,000 Ticketmaster tickets to ratchet up pressure on the events company to meet its extortion demands.
- While Ticketmaster was quick to denounce the risk last week, saying that barcodes can be rotated, the attackers have responded with details of ‘print at home’ tickets that obviously, because of their static nature, cannot be rotated.
- The reality here is that it is unlikely to result in Ticketmaster paying up, but gig-goers may need help getting into their chosen event. Hopefully, knowing which barcodes have been exposed, Ticketmaster can go through and reissue tickets for those affected. LINK
- The company started notifying affected people in North America this week, encouraging them to “be vigilant” and offering identity monitoring services. LINK
Interesting stats
76% of 642 global websites and mobile apps reviewed by the Federal Trade Commission (FTC) use at least one ‘dark pattern’ to steer users into sacrificing their privacy or purchasing things they don’t need. LINK
22 minutes between Rapid7 sharing a proof-of-concept for a JetBrains vulnerability and Cloudflare observing attempted exploitation. 4 hours 46 mins from the public disclosure of the vulnerability, which I suspect is probably when the threat actors started working on a potential exploit. Either way, yikes. LINK
Other newsy bits / in brief
🤓 Interesting reads:
- Banks in Singapore will phase out SMS-based one-time passwords in the next three months to combat phishing scams. LINK
⚠️ Incidents:
- Evolve Bank & Trust confirmed that LockBit stole 7.6 million people’s data in late May, with partners Wise and Affirm making an SEC filing that they were both materially affected by the data theft. LINK
- Users of Elexon, a relatively unknown company at the centre of the UK’s energy market, suffered an outage this week when a certificate for their data portal was allowed to expire. Energy companies use Elexon’s data to make trading decisions and as the ‘primary channel’ for data on balancing and settlement arrangements of the UK electricity market. LINK
- Financial Business and Consumer Solutions (FBCS) has begun notifying over 4 million people that their data was exposed in February this year. The Pennsylvania-based debt collection agency filed an updated regulatory filing this week confirming that the scale of the breach was twice what had been previously reported. LINK
- Hacktivist group SeigedSec have released two gigabytes of data from the Heritage Foundation, the conservative think tank behind ‘Project 2025’ — a set of policy proposals for a future Republican president that includes the reclassification of thousands of civil service staffers and political appointees. LINK
- Government websites in Macau were disrupted by denial-of-service attackers this week. The motive or group behind the attacks is unclear. LINK
🏴☠️ Ransomware:
- Blockchain intelligence firm TRM Labs says that two cryptocurrency wallets belonging to the BlackSuit ransomware group received payments totalling more than $25 million days after car dealership software vendor CDK was compromised. LINK
🕵️ Threat Intel:
- Joint advisory on APT40, a Chinese-linked threat actor, whom Australian authorities say develop or use proof of concepts for new, high-refile vulnerabilities within hours of their public release. LINK
- Threat actors have been using a technique to cause URLs to open in Internet Explorer to take advantage of other vulnerabilities in the legacy Microsoft browser. LINK
🪲 Vulnerabilities:
- The Exim mail server software contains a vulnerability allowing attackers to deliver malicious executable attachments to email accounts. CVE-2024-39929 (9.1/10) allows actors to bypass protections against executables. Around 1.5 million Exim servers were running a vulnerable version of the software this week, according to Censys. LINK, BUG
- SSHd in Fedora 36 and 37 and Red Hat Enterprise Linux 9 contains a race condition that may lead to remote code execution, CVE-2024-6409 (7.0/10). LINK
- Attackers are seeking to exploit a vulnerability in WordPress’s Modern Events Calendar plugin. Researchers discovered an arbitrary file upload vulnerability (CVE-2024-5441; 8.8/10) in May, and a patch is available. LINK, MORE,
- GitLab has released a patch for a critical vulnerability in its Community and Enterprise software. CVE-2024-6385 (9.6/10) allows attackers to run Continuous Integration/Continuous Deployment (CI/CD) pipeline jobs as any other user. LINK
- Netgear is encouraging customers to patch their WiFi 6 routers after cross-site scripting and authentication bypass vulnerabilities were discovered in its firmware. LINK, ADVISORY 1, ADVISORY 2
🧰 Guidance and tools:
- Avast has publicly released a decryptor for the DoNex ransomware variant after privately helping victims and law enforcement since March 2024. LINK
📜 Policy & Regulation:
- Germany has become the latest country to ban Chinese telco equipment from its 5G networks. Telco companies will have until 2026 to remove equipment supplied by Huawei and ZTE from “core” sites, such as data centres, and then until 2029 to remove it from wider transmission sites. LINK
- Members of the NATO military alliance have committed to establishing an ‘Integrated Cyber Defence Centre’ in Belgium. Civilian and military personnel will focus on situational awareness, collective defence and resilience and the protection of critical undersea infrastructure. LINK
👮 Law Enforcement:
- The US Department of Justice has seized two domains and ‘hundreds’ of social media accounts they claim are linked to a Russian government-backed bot farm used to generate content and fake interactions on social media. The advisory attributes the bots to affiliates of the RT (Russia Today) media group and says they were orchestrated using the ‘Meliorator’ software platform. LINK, ADVISORY (PDF)
💰 Investments, mergers and acquisitions:
- Tracebit, a London cloud detection and response startup, has closed a $5 million seed funding round led by Accel. LINK
- Internet of Things cyber company Exxon has raised €15 million Series B round led by 33N. LINK
- Vista Equity may be exploring a sale of software security firm Sonatype in a transaction that may value the company at $1.5 billion. LINK
And finally
- Blast RADIUS: Yes, it’s a branded vulnerability, but I also bet you didn’t realise that the RADIUS protocol still uses MD5 to generate signatures. That led to security researcher’s discovery that it’s possible for an attacker-in-the-middle to forge a valid access token from a failed authentication request. As a protocol, RADIUS is used in loads of network and internet plumbing. It will be a painful job for NOCs worldwide to upgrade all the affected equipment. LINK, MORE