Author: rescue@crimefire.in

Image: Shutterstock.com
Three different cybercriminal groups claimed access to internal networks at communications giant T-Mobile in more than 100 separate incidents throughout 2022, new data suggests. In each case, the goal of the attackers was the same: Phish T-Mobile employees for access to internal company tools, and then convert that access into a cybercrime service that could be hired to divert any T-Mobile user’s text messages and phone calls to another device.
The conclusions above are based on an extensive analysis of Telegram chat logs from three distinct cybercrime groups or actors that have been identified by security researchers as particularly active in and effective at “SIM-swapping,” which involves temporarily seizing control over a target’s mobile phone number.
Countless websites and online services use SMS text messages for both password resets and multi-factor authentication. This means that stealing someone’s phone number often can let cybercriminals hijack the target’s entire digital life in short order — including access to any financial, email and social media accounts tied to that phone number.
All three SIM-swapping entities that were tracked for this story remain active in 2023, and they all conduct business in open channels on the instant messaging platform Telegram. KrebsOnSecurity is not naming those channels or groups here because they will simply migrate to more private servers if exposed publicly, and for now those servers remain a useful source of intelligence about their activities.
Each advertises their claimed access to T-Mobile systems in a similar way. At a minimum, every SIM-swapping opportunity is announced with a brief “Tmobile up!” or “Tmo up!” message to channel participants. Other information in the announcements includes the price for a single SIM-swap request, and the handle of the person who takes the payment and information about the targeted subscriber.
The information required from the customer of the SIM-swapping service includes the target’s phone number, and the serial number tied to the new SIM card that will be used to receive text messages and phone calls from the hijacked phone number.
Initially, the goal of this project was to count how many times each entity claimed access to T-Mobile throughout 2022, by cataloging the various “Tmo up!” posts from each day and working backwards from Dec. 31, 2022.
But by the time we got to claims made in the middle of May 2022, completing the rest of the year’s timeline seemed unnecessary. The tally shows that in the last seven-and-a-half months of 2022, these groups collectively made SIM-swapping claims against T-Mobile on 104 separate days — often with multiple groups claiming access on the same days.
The 104 days in the latter half of 2022 in which different known SIM-swapping groups claimed access to T-Mobile employee tools.
KrebsOnSecurity shared a large amount of data gathered for this story with T-Mobile. The company declined to confirm or deny any of these claimed intrusions. But in a written statement, T-Mobile said this type of activity affects the entire wireless industry.
“And we are constantly working to fight against it,” the statement reads. “We have continued to drive enhancements that further protect against unauthorized access, including enhancing multi-factor authentication controls, hardening environments, limiting access to data, apps or services, and more. We are also focused on gathering threat intelligence data, like what you have shared, to help further strengthen these ongoing efforts.”
While it is true that each of these cybercriminal actors periodically offer SIM-swapping services for other mobile phone providers — including AT&T, Verizon and smaller carriers — those solicitations appear far less frequently in these group chats than T-Mobile swap offers. And when those offers do materialize, they are considerably more expensive.
The prices advertised for a SIM-swap against T-Mobile customers in the latter half of 2022 ranged between USD $1,000 and $1,500, while SIM-swaps offered against AT&T and Verizon customers often cost well more than twice that amount.

To be clear, KrebsOnSecurity is not aware of specific SIM-swapping incidents tied to any of these breach claims. However, the vast majority of advertisements for SIM-swapping claims against T-Mobile tracked in this story had two things in common that set them apart from random SIM-swapping ads on Telegram.
First, they included an offer to use a mutually trusted “middleman” or escrow provider for the transaction (to protect either party from getting scammed). More importantly, the cybercriminal handles that were posting ads for SIM-swapping opportunities from these groups generally did so on a daily or near-daily basis — often teasing their upcoming swap events in the hours before posting a “Tmo up!” message announcement.
In other words, if the crooks offering these SIM-swapping services were ripping off their customers or claiming to have access that they didn’t, this would be almost immediately obvious from the responses of the more seasoned and serious cybercriminals in the same chat channel.
There are plenty of people on Telegram claiming to have SIM-swap access at major telecommunications firms, but a great many such offers are simply four-figure scams, and any pretenders on this front are soon identified and banned (if not worse).
One of the groups that reliably posted “Tmo up!” messages to announce SIM-swap availability against T-Mobile customers also reliably posted “Tmo down!” follow-up messages announcing exactly when their claimed access to T-Mobile employee tools was discovered and revoked by the mobile giant.
A review of the timestamps associated with this group’s incessant “Tmo up” and “Tmo down” posts indicates that while their claimed access to employee tools usually lasted less than an hour, in some cases that access apparently went undiscovered for several hours or even days.
How could these SIM-swapping groups be gaining access to T-Mobile’s network as frequently as they claim? Peppered throughout the daily chit-chat on their Telegram channels are solicitations for people urgently needed to serve as “callers,” or those who can be hired to social engineer employees over the phone into navigating to a phishing website and entering their employee credentials.
Allison Nixon is chief research officer for the New York City-based cybersecurity firm Unit 221B. Nixon said these SIM-swapping groups will typically call employees on their mobile devices, pretend to be someone from the company’s IT department, and then try to get the person on the other end of the line to visit a phishing website that mimics the company’s employee login page.
Nixon argues that many people in the security community tend to discount the threat from voice phishing attacks as somehow “low tech” and “low probability” threats.
“I see it as not low-tech at all, because there are a lot of moving parts to phishing these days,” Nixon said. “You have the caller who has the employee on the line, and the person operating the phish kit who needs to spin it up and down fast enough so that it doesn’t get flagged by security companies. Then they have to get the employee on that phishing site and steal their credentials.”
In addition, she said, often there will be yet another co-conspirator whose job it is to use the stolen credentials and log into employee tools. That person may also need to figure out how to make their device pass “posture checks,” a form of device authentication that some companies use to verify that each login is coming only from employer-issued phones or laptops.
For aspiring criminals with little experience in scam calling, there are plenty of sample call transcripts available on these Telegram chat channels that walk one through how to impersonate an IT technician at the targeted company — and how to respond to pushback or skepticism from the employee. Here’s a snippet from one such tutorial that appeared recently in one of the SIM-swapping channels:
“Hello this is James calling from Metro IT department, how’s your day today?”
(yea im doing good, how r u)
i’m doing great, thank you for asking
i’m calling in regards to a ticket we got last week from you guys, saying you guys were having issues with the network connectivity which also interfered with [Microsoft] Edge, not letting you sign in or disconnecting you randomly. We haven’t received any updates to this ticket ever since it was created so that’s why I’m calling in just to see if there’s still an issue or not….”
The TMO UP data referenced above, combined with comments from the SIM-swappers themselves, indicate that while many of their claimed accesses to T-Mobile tools in the middle of 2022 lasted hours on end, both the frequency and duration of these events began to steadily decrease as the year wore on.

T-Mobile declined to discuss what it may have done to combat these apparent intrusions last year. However, one of the groups began to complain loudly in late October 2022 that T-Mobile must have been doing something that was causing their phished access to employee tools to die very soon after they obtained it.
One group even remarked that they suspected T-Mobile’s security team had begun monitoring their chats.
Indeed, the timestamps associated with one group’s TMO UP/TMO DOWN notices show that their claimed access was often limited to less than 15 minutes throughout November and December of 2022.
Whatever the reason, the calendar graphic above clearly shows that the frequency of claimed access to T-Mobile decreased significantly across all three SIM-swapping groups in the waning weeks of 2022.
T-Mobile US reported revenues of nearly $80 billion last year. It currently employs more than 71,000 people in the United States, any one of whom can be a target for these phishers.
T-Mobile declined to answer questions about what it may be doing to beef up employee authentication. But Nicholas Weaver, a researcher and lecturer at University of California, Berkeley’s International Computer Science Institute, said T-Mobile and all the major wireless providers should be requiring employees to use physical security keys for that second factor when logging into company resources.
A U2F device made by Yubikey.
“These breaches should not happen,” Weaver said. “Because T-Mobile should have long ago issued all employees security keys and switched to security keys for the second factor. And because security keys provably block this style of attack.”
The most commonly used security keys are inexpensive USB-based devices. A security key implements a form of multi-factor authentication known as Universal 2nd Factor (U2F), which allows the user to complete the login process simply by inserting the USB key and pressing a button on the device. The key works without the need for any special software drivers.
The allure of U2F devices for multi-factor authentication is that even if an employee who has enrolled a security key for authentication tries to log in at an impostor site, the company’s systems simply refuse to request the security key if the user isn’t on their employer’s legitimate website, and the login attempt fails. Thus, the second factor cannot be phished, either over the phone or Internet.
Nixon said one confounding aspect of SIM-swapping is that these criminal groups tend to recruit teenagers to do their dirty work.
“A huge reason this problem has been allowed to spiral out of control is because children play such a prominent role in this form of breach,” Nixon said.
Nixon said SIM-swapping groups often advertise low-level jobs on places like Roblox and Minecraft, online games that are extremely popular with young adolescent males.
“Statistically speaking, that kind of recruiting is going to produce a lot of people who are underage,” she said. “They recruit children because they’re naive, you can get more out of them, and they have legal protections that other people over 18 don’t have.”
For example, she said, even when underage SIM-swappers are arrested, the offenders tend to go right back to committing the same crimes as soon as they’re released.
In January 2023, T-Mobile disclosed that a “bad actor” stole records on roughly 37 million current customers, including their name, billing address, email, phone number, date of birth, and T-Mobile account number.
In August 2021, T-Mobile acknowledged that hackers made off with the names, dates of birth, Social Security numbers and driver’s license/ID information on more than 40 million current, former or prospective customers who applied for credit with the company. That breach came to light after a hacker began selling the records on a cybercrime forum.
In the shadow of such mega-breaches, any damage from the continuous attacks by these SIM-swapping groups can seem insignificant by comparison. But Nixon says it’s a mistake to dismiss SIM-swapping as a low volume problem.
“Logistically, you may only be able to get a few dozen or a hundred SIM-swaps in a day, but you can pick any customer you want across their entire customer base,” she said. “Just because a targeted account takeover is low volume doesn’t mean it’s low risk. These guys have crews that go and identify people who are high net worth individuals and who have a lot to lose.”
Nixon said another aspect of SIM-swapping that causes cybersecurity defenders to dismiss the threat from these groups is the perception that they are full of low-skilled “script kiddies,” a derisive term used to describe novice hackers who rely mainly on point-and-click hacking tools.
“They underestimate these actors and say this person isn’t technically sophisticated,” she said. “But if you’re rolling around in millions worth of stolen crypto currency, you can buy that sophistication. I know for a fact some of these compromises were at the hands of these ‘script kiddies,’ but they’re not ripping off other people’s scripts so much as hiring people to make scripts for them. And they don’t care what gets the job done, as long as they get to steal the money.”
This entry was posted on Tuesday 28th of February 2023 11:14 AM
I’ve been a T-Mobile customer for years. It took me about 10 minutes way back when to figure out they were under the magic spell of social engineers. Germans who know about Max Planck know he played a dangerous game and paid dearly, nothing new there. I was eventually “forced” into a Smart Phone by the demise of 3G but get weekly nags to fully install my OS. That’s not what Max Planck would do.
Sounds more like your phone needs security updates, which otherwise leaves your device vulnerable to various malware & hacks
“A new scientific truth does not triumph by convincing its opponents and making them see the light, but rather because its opponents eventually die and a new generation grows up that is familiar with it” – Max Planck
Brian, didn’t you say once that there is somewhere we can register to essentially freeze our SIM card, so to speak, like you put a freeze on your credit reports with the big 3 (4) credit bureaus. I vaguely remember the report and you saying that putting a freeze on your credit reports doesn’t likewise protect the SIM card/mobile number, so you had to put a separate freeze with a different company. What is that company, and do all mobile carriers honor that freeze?
Or am I totally misremembering that article and there’s no comparable freeze mechanism to prevent SIM swaps?
It’s called a NOPORT. You must call T-Mobile and ask them to enable NO PORT on your number. If the agent doesn’t know what you’re talking about, end the call and call again to get an agent that does.
Verizon calls it Number Lock, you can enable it in the phone app and I believe on the website. You don’t need to talk to a person to turn it on.
No need to call in, you can do this from t-mobile account settings > privacy > sim lock.
Can you please give more detail on how to do this? I can’t find it in the settings.
Select Account then Privacy & Notifications, then SIM Protection, then enable it.
Just checked my T-Mo accounts & discovered that the SIM protection feature had somehow been turned OFF, who knows when, but definitely by T-Mo.
I know that I turned it on as soon as that option was available to customers so beware & double check if you have previously used this security feature.
Very important not to confuse with another setting in the general phone settings called “SIM card lock”. This particular setting does NOT prevent a SIM swap.
@Brian
> employee-issued phones or laptops
That should be *employer-issued*
You can and probably should take advantage of whatever protections are offered by the phone companies. But it’s important to point out that if an employee can put these restrictions in place, a phished (or collusive) employee can undo that in a second.
You forgot to mention another vector for SIM swapping, rouge cell service employees trying to make a quick buck by trying to take advantage of the company they work for . Another real good read !
Thank you for the NOPORT term. good to know the specific ask. Hope this would prevent t-mobile insiders from sim-swapping but given t-mobiles security stance, I have no such hope and left t-mobile in disgust some time ago since they really don’t care about breaches or such, 80 BILLION revenue allows for many settlements and still walk away fat. Brian has done a great job illustrating the ramification of sim swaps. ouch!
T-Mobile account login has a serious flaw when it comes to MFA. You can set up your account to use TOTP. But you are still presented with the option to use SMS for 2FA at every login.
There is no way to disable the SMS option.
This is a shortcoming of a lot of 2FA systems. Seemingly they provide little protection because you can’t limit it to just one system, and eventually it will even lead into security questions to allow a log in.
Not everywhere.
Azure AD does not have fallback.
Fallbacks has to be designed into the solution
Unfortunately I just discovered this. I thought I was helping to secure my T-Mobile account by implementing Google Authenticator. Then I discover that there’s no way to disable the SMS option. What the heck! Isn’t there a single Cyber Security engineer at T-Mobile who says “Wait, this is moronic.”
This is exactly what you get with dumbo CISOs with MBA and other unrelated disciplines.
Like going to have a surgery with an attorney.
Most US companies are like this. It’s not going to change because there is no skilled labor with needed skills in Cybersecurity in the US.
FYI. There is more info on defensive steps for SIM swaps here
http://www.defensivecomputingchecklist.com/simswap.php
And, some info on avoiding ads from the cell companies here
http://www.defensivecomputingchecklist.com/cell.phone.companies.php
honestly at this point they should just change their name to t-morrowwellgethackedagain
U2F can provide a fairly high level of security to the authentication process. But proper implementation is critical. Implementation of some backup factor is a very good idea, but frequently leads to the weak link. As “vaadu” noted in their comment above, T-mobile has implemented SMS as a backup to TOTP and has introduced a weaker link though SMS. That essentially makes TOTP of no use since the weaker SMS is always available. They could do the same to a U2F implementation.
I have a primary and backup U2F keys which are both USB and NFC interfaced. There are precious few location where I can use U2F though. I use gmail, google voice, and have a family domain with google workspace where I use them. AT&T wireless uses SMS, so no go there. Outlook.com and Yahoo.com and a handful of others. Curiously, few financial institutions have implemented U2F, even worse most use SMS for 2FA.
Does TMO not use MFA and phishing just needs a username and password to get into their internal systems? Or how was MFA phished too?
“to social engineer employees over the phone into navigating to a phishing website and entering their employee credentials.”
It’s time to complain to your bank about not supporting FIDO2 (or at least TOTP).
Is there a list of banks that do? Complain with your feet/wallet.
Or complain to your bank, that could work. In some definition of work.
“Oh yes sir I agree sir, we’ll get right on that sir. Is there anything else?
Have you seen our new rewards gimmick account? Oh you have?”
Brian,
How does the new ESIM equate into this? Is it more likely to be breached or less likely?
Depends. All you need is QR code. 😉 Often no need to leave your house, no need to call anywhere. in Europe all you need is the victim’s account. They store passwords in plaintext. It’s bad bad.
I just now called Tmo 611 tech Patricia and found you need both NOPORT and SimProtect. NOPORT keeps anyone from porting your number to a carrier outside of TMo, but you also need SimProtect which keeps anyone from changing your Sim card serial number to a different Sim card serial to be used on a new phone remotely, which is how simswap scammers work. SimProtect at TMo requires in-person visit and ID presentation at TMo to get your phone number assigned to a new Sim card serial number provided there.
please delete my last name from my previous post I just made
Thanks for that my dear friends!
I just now called Tmo 611 tech Patricia and found you need both NOPORT and SimProtect. NOPORT keeps anyone from porting your number to a carrier outside of TMo, but you also need SimProtect which keeps anyone from changing your Sim card serial number to a different Sim card serial to be used on a new phone remotely, which is how simswap scammers work.
Monitor your colleague, spouse. retrieve social media passwords, DMV database, boost FICO and all forms of hacking with hackerspytech at g mail c o m
Can somebody tell me if in europe sim swapping is going on also or is this a specific US problem?
So T-Mobile is dropping auto-pay by credit card as of May 2023. To continue receiving the auto-pay discount on billing you have to replace the credit card with a debit card or a bank account.
How safe are these options in the next T-Mobile security breach?
Thank you for the NOPORT term. good to know the specific ask. Hope this would prevent t-mobile insiders from sim-swapping but given t-mobiles security stance, I have no such hope and left t-mobile in disgust some time ago since they really don’t care about breaches or such, 80 BILLION revenue allows for many settlements and still walk away fat. Brian has done a great job illustrating the ramification of sim swaps. ouch!
It is no fault, really, to know important information from selected targeted devices, attaining all variety communication access. Call logs, messages of both texts and social applications textlings, this is a possible method to providing essential answers for questions and doubts of spouse, tracking child safely, what so sever, there is many much more to view and control.
Your email address will not be published. Required fields are marked *
Comment *
Name *
Email *
Website


Δ
Mailing List
Search KrebsOnSecurity
Recent Posts
Spam Nation
A New York Times Bestseller!
Thinking of a Cybersecurity Career?
Read this.
All About Skimmers
Click image for my skimmer series.
Story Categories
The Value of a Hacked PC
Badguy uses for your PC
Badguy Uses for Your Email
Your email account may be worth far more than you imagine.
Most Popular Posts
Why So Many Top Hackers Hail from Russia
Category: Web Fraud 2.0
Innovations from the Underground
ID Protection Services Examined
Is Antivirus Dead?
The reasons for its decline
The Growing Tax Fraud Menace
File ’em Before the Bad Guys Can
Inside a Carding Shop
A crash course in carding.
Beware Social Security Fraud
Sign up, or Be Signed Up!
How Was Your Card Stolen?
Finding out is not so easy.
Krebs’s 3 Rules…
…For Online Safety.

source

By Apurva Venkat
Principal Correspondent, CSO |
Password management company LastPass, which was hit by two data breaches last year, has revealed that data exfiltrated during the first intrusion, discovered in August, was used to target the personal home computer of one of its devops engineers and launch a second successful cyberatttack, detected in November.
The threat actor involved in the breaches infected the engineer’s home computer with a keylogger, which recorded information that enabled a cyberattack that exfiltrated sensitive information from the company’s AWS cloud storage servers, LastPass said in a cybersecurity incident update Monday.
The company had divulged information about the data breaches last year; the update reveals for the first time that the same threat actor was responsible for both breaches.
The first intrusion ended on August 12 last year. However, LastPass now says that the threat actor was actively engaged in a new series of reconnaissance, enumeration, and exfiltration activity aimed at the company’s the cloud storage environment from August 12 to October 26, 2022. 
“The observed tactics, techniques, and procedures (TTPs), as well as the indicators of compromise (IOCs) of the second incident were not consistent with those of the first. While proximal in terms of timeline, it was not initially obvious that the two incidents were directly related,” LastPass said in its update. There has been no activity by the threat actor after October 26, the company added.
The developer whose home computer was infected with the keylogger was only one of four devops engineers in the company who had access to the decryption keys of encrypted Amazon S3 buckets.
“The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the devops engineer’s LastPass corporate vault,” LastPass said. 
The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups. 
The use of valid credentials made it difficult for the company’s investigators to detect the threat actor’s activity. 
In the first intrusion, in August, a software engineer’s corporate laptop was compromised, allowing the  threat actor to gain access to a cloud-based development environment and steal source code, technical information, and certain LastPass internal system secrets, LastPass CEO Karim Toubba said in a blog addressed to customers. 
No customer data or vault data was stolen during this incident, as LastPass did not have any customer or vault data in the development environment. 
“We declared this incident closed but later learned that information stolen in the first incident was used to identify targets and initiate the second incident,” Toubba said. 
During the first incident, the threat actor was able to access on-demand, cloud-based development and source code repositories of 14 out of 200 software repositories.
Internal scripts from the repositories — which contained company secrets and certificates as well as internal documentation including technical information that described how the development environment operated — were also accessed by the threat actor.
In the second incident, the threat actor used the information stolen in the first intrusion to target a senior devops engineer and exploit vulnerable third-party software to install a keylogger, Toubba said.  
The threat actor leveraged information from the keylogger malware, including the engineer’s credentials, to bypass and ultimately gain access to cloud backups. The data accessed from those backups included system configuration data, API secrets, third-party integration secrets, and encrypted and unencrypted customer data, the company said. 
The threat actor also accessed devops secrets including information used to gain access to cloud-based backup storage. Access to a backup of the LastPass multifactor authentication (MFA) and federation database that contained copies of the company’s authenticator seeds, telephone numbers used for MFA backup, as well as a split-knowledge component (the K2 “key”) used for LastPass federation, was also gained by threat actor, LastPass said. 
The identity of the threat actor and their motivation is unknown. There has been no contact or demands made, and there has been no detected credible underground activity indicating that the threat actor is actively engaged in marketing or selling any information obtained during either incident, LastPass said. 
 There have been several steps that LastPass has taken to strengthen its security in the wake of the incidents. “We invested a significant amount of time and effort hardening our security while improving overall security operations,” the CEO said. 
Some of this included assisting devops engineers with hardening the security of their home network and personal resources, rotating critical and high privilege credentials, and enabling custom analytics that can detect ongoing abuse of AWS resources. LastPass says it has  have millions of users and more than 100,000 businesses as customers. 

Apurva Venkat is principal correspondent for the India editions of CIO, CSO, and Computerworld.
Copyright © 2023 IDG Communications, Inc.
Copyright © 2023 IDG Communications, Inc.

source

Hi, what are you looking for?
News Corp says a threat group, previously linked to the Chinese government, had access to its systems for two years before the breach was discovered.
By
Flipboard
Reddit
Pinterest
Whatsapp
Whatsapp
Email
Media giant News Corp has disclosed new details about a data breach discovered last year and attributed to a state-sponsored threat actor.
In early 2022, News Corp revealed that hackers had managed to steal corporate data from its systems, but claimed that financial and customer information were not compromised. The incident was discovered in January 2022 and cybersecurity firm Mandiant was called in to assist with the investigation.
News Corp said at the time that the attack had been tied to a foreign government, and Mandiant clarified that it appeared to be the work of a Chinese group. 
The cyberattack hit News Corp headquarters, news operations in the UK, as well as News Corp-owned businesses such as The Wall Street Journal, Dow Jones, and New York Post.  
The media giant last week started sending out data breach notices to individuals whose data may have been compromised. Bleeping Computer was the first to spot the notification. 
The notification, a copy of which was submitted to authorities in Massachusetts, reveals that the hackers gained access to a business email and document storage system used by several News Corp businesses. 
The attackers had gained access to business documents and emails between February 2020 and January 2022. The compromised information came from a ‘limited number’ of personnel accounts on the affected system.
Some personal information may have been obtained by the attackers, including name, date of birth, Social Security number, passport number, driver’s license number, financial account information, health insurance details, and medical information. The company noted that not every type of information was compromised in each individual’s case. 
“Our investigation indicates that this activity does not appear to be focused on exploiting personal information. We are not aware of reports of identity theft or fraud in connection with this issue,” News Corp said.
However, the company has decided to offer 24 months of free identity protection and credit monitoring services to impacted individuals. 
Related: Pepsi Bottling Ventures Discloses Data Breach
Related: Patient Information Compromised in Data Breach at San Diego Healthcare Provider
Related: 20 Million Users Impacted by Data Breach at Instant Checkmate, TruthFinder

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.
Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.
Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.
Making threat intelligence actionable requires more than automation; it also requires contextualization and prioritization. (Marc Solomon)
Many of the most successful cybercriminals are shrewd; they want good ROI, but they don’t want to have to reinvent the wheel to get it. (Derek Manky)
Compliance and ZTNA are driving encryption into every aspect of an organization’s network and enterprise and, in turn, forcing us to change how we think about protecting our environments. (Matt Wilson)
Cyberattacks have exposed a myriad of vulnerabilities in our healthcare infrastructure, and will continue to do so as new and innovative medical technologies are developed. (Galina Antova)
Deepfakes are becoming increasingly popular with cybercriminals, and as these technologies become even easier to use, organizations must become even more vigilant. (Derek Manky)
Flipboard
Reddit
Pinterest
Whatsapp
Whatsapp
Email
Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.
LastPass DevOp engineer’s home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud…
GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.
A group of hackers has leaked Atlassian employee records and floorplans, information that was obtained from third-party workplace platform Envoy.
Instant Checkmate and TruthFinder have disclosed data breaches affecting a total of more than 20 million users.
AT&T is notifying millions of wireless customers that their CPNI was compromised in a data breach at a third-party vendor.
Companies affected by the recent Mailchimp data breach have started notifying customers. The list includes WooCommerce, FanDuel, Yuga Labs and the Solana Foundation.
Health services company Independent Living Systems has disclosed a data breach that impacts more than 4 million individuals.
Got a confidential news tip? We want to hear from you.
Reach a large audience of enterprise cybersecurity professionals
Subscribe to the SecurityWeek Daily Briefing and get the latest content delivered to your inbox.
Copyright © 2023 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

source

On February 22, 2023, Alvaria, Inc. filed notice of a data breach with the Attorney General of Massachusetts after confirming that a recent cybersecurity event was a Hive ransomware attack resulting in confidential employee information being leaked. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names, Social Security numbers, passport numbers, financial account information, health insurance information and tax-related information. After confirming that consumer data was leaked, Alvaria began sending out data breach notification letters to all employees who were impacted by the recent data security incident.
If you are a current or former employee of Alvaria, it’s possible that the recent Hive Ransomware attack compromised the security of your personal information. As we’ve discussed in previous posts, ransomware attacks like these are becoming increasingly common. They also significantly increase your risk of identity theft and other frauds. Therefore, as a data breach victim, it is imperative that you understand how to mitigate these risks and what you can do to hold a company that negligently leaked your information accountable.
The available information regarding the Alvaria breach comes from the company’s filing with the Attorney General of Massachusetts. According to this source, on November 28, 2022, Alvaria was targeted in a Hive Ransomware attack. In response, Alvaria contained the incident, notified the FBI, and began investigating what data was removed from the company’s computer network. However, while this investigation was underway, Hive Ransomware leaked certain information onto the group’s Dark Web leak site. While none of the leaked information belonged to consumers or employees, it proved that the attack occurred. This prompted the company to investigate the incident further to determine what other information may have been leaked. Ultimately, Alvaria was able to determine that confidential employee information was accessible to the hackers.
Upon discovering that sensitive consumer data was made available to an unauthorized party, Alvaria began to review the affected files to determine what information was compromised and which consumers were impacted. While the breached information varies depending on the individual, it may include your name, Social Security number, passport number, financial account information, health insurance information and tax-related information.
On February 22, 2023, Alvaria sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident.
Alvaria, Inc. is a business software company based in Westford, Massachusetts. The company was recently formed through the merger of Aspect Software and Noble Systems, two companies that offered a variety of Customer Experience (CX) and Workforce Engagement solutions. Alvaria creates software that enables companies to better understand and track the customer experience, as well as workforce engagement. Alvaria employs more than 2,000 people and generates approximately $423 million in annual revenue.
See more »
DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Console and Associates, P.C. | Attorney Advertising
Refine your interests »
Back to Top
Explore 2023 Readers’ Choice Awards
Copyright © JD Supra, LLC

source

Advertisement
Supported by
The compromised computer system includes information on both investigative targets and agency employees.
Send any friend a story
As a subscriber, you have 10 gift articles to give each month. Anyone can read what you share.
By Glenn Thrush and Chris Cameron
The U.S. Marshals Service suffered a major security breach this month when hackers broke into and stole data from a computer system that included a trove of personal information about investigative targets and agency employees, a spokesman for the service said on Monday.
The service, a division of the Justice Department, is responsible for the protection of judges, the transportation of federal prisoners and the operation of the federal witness protection program. The witness protection database was not breached, but hackers did gain access to information about some fugitives sought by federal authorities, according to a senior law enforcement official.
Justice Department officials have determined that the breach, which was carried out through ransomware on Feb. 17, was “a major incident,” said Drew J. Wade, the Marshals Service spokesman. It was yet another in a series of breaches that have underscored the government’s struggles to protect sensitive information as the frequency, scale and sophistication of ransomware attacks have surged in recent years.
The affected system “contains law enforcement sensitive information, including returns from legal process, administrative information and personally identifiable information pertaining to subjects of U.S.M.S. investigations, third parties and certain U.S.M.S. employees,” Mr. Wade said in an email. Officials with the Marshals Service disconnected the system after discovering the attack, he said.
The department is investigating the origin of the attack and working on an assessment of the damage while officials with the Marshals Service race to limit the risk posed by the theft of the highly sensitive personal and investigative information.
The breach was reported earlier by NBC News.
Several government agencies have fallen victim to hackers in recent years, as a growing number of groups have acquired the tools and expertise to steal data, disrupt critical infrastructure and extort payments from victims that also include corporations and private individuals.
A highly sophisticated Russian hacking attack during the final year of the Trump administration compromised the networks of more than 250 federal agencies and businesses — including the Treasury, State, Commerce and Energy Departments, and parts of the Pentagon.
A spate of hacks of government computers in 2015 that originated in China stole the personal information of about 21.5 million people, including addresses, health and financial history, and other private details, from people who had been subjected to a government background check. The hackers also took the personnel data and fingerprints of federal employees.
A number of other, smaller data breaches have targeted groups related to the federal government, including the theft by Chinese government hackers of sensitive data from a Navy contractor in 2018 and the theft in 2019 of tens of thousands of images of travelers and license plates stored by Customs and Border Protection.
The Biden administration has made combating ransomware a national security priority, and has succeeded in recovering ransoms, thwarting extortion attempts and dismantling criminal organizations that engage in ransomware attacks.
Advertisement

source

In-depth reporting, data and actionable intelligence for policy professionals – all in one place.

MEPs and assistants are ‘strongly recommended’ to delete the social media app.
The European Parliament on Tuesday banned the use of social media app TikTok on staff devices and recommended that MEPs delete it from their phones.
Following in the footsteps of the European Commission and Council of the EU, Parliament President Roberta Metsola and Secretary-General Alessandro Chiocchetti have told about 8,000 officials they should uninstall TikTok from corporate devices such as mobiles and tablets by March 20.
It is also “strongly recommended” that MEPs and their staff and accredited assistants remove TikTok from their personal devices, according to the note. The popular video-sharing app is owned by Chinese tech firm ByteDance and has become the focus of mounting security and data protection fears.
“Cybersecurity concerns have been raised on the usage of the social media platform TikTok, in particular regarding data protection and collection of data by third parties,” reads the Parliament’s email, sent out to staffers on Tuesday.
“I think it is logical and important that the Parliament joins the other European institutions on this,” said Dita Charanzová, the vice president in charge of cybersecurity.
There is no active official European Parliament account on TikTok, although one account with the handle @europarl posted a video about the institution in late 2019. A spokesperson said that the @europarl account was not official and that a procedure to have it removed by TikTok had been launched. Some of the political groups, such as the center-right European People’s Party and The Left, maintain a presence on the platform.
A TikTok spokesperson said the suspension was misguided and based on misconceptions. 
“TikTok is enjoyed by 125 million EU citizens and potentially depriving users” of “access to their representatives is a self-defeating step, especially in our shared fight against misinformation and when this action is being taken on the basis of fears rather than facts,” a spokesperson said in a statement. “We repeat our calls to EU institutions for due process and equal treatment.”
Pedro López, the spokesperson of the EPP group, said the group had no plans to remove its TikTok account, which has 50,000 followers — far larger than the next-highest group, The Left, which has around 6,000.
“We will not erase our account on TikTok,” López said, adding that they had not received any official news of the decision yet.
“I think it is absurd to abandon the highest-growing social network in Europe, even if the Chinese are using it for spying,” the EPP spokesperson said.
He added that the Parliament should launch an official TikTok account because it is a useful tool to fight fake news and that the institution was instructed to do so a few months ago by the so-called bureau, the group of vice presidents chaired by President Metsola.
The Commission was the first EU institution to take such a measure, but it ruffled the feathers of other EU bodies, including the Parliament, by going it alone.
A spokesperson for Parliament Vice President Marc Angel said he regretted “that the [European Commission] made a unilateral decision on banning TikTok. As it concerns cybersecurity, he would have preferred a coordinated decision by the institution.”
This article has been updated with TikTok’s comment and a comment from a Parliament spokesperson.
Log in to access content and manage your profile. If you do not have an account you can register here.

Forgot your password?
By logging in, you confirm acceptance of our POLITICO Privacy Policy.

source

The Home of the Security Bloggers Network
Home » Security Bloggers Network » How to Prepare for a Data Breach before it Happens
Preparation is key in preventing the worst outcomes from a data breach, so it is important to have a plan in place ahead of time. Here are some steps you can take to prepare for a potential data breach:

By taking these steps, you will be better prepared to respond to a data breach if it occurs, and you may be able to prevent it from happening in the first place.
When a data breach occurs, it is important to respond quickly and effectively to minimize the damage and protect sensitive information. Here are some strategies for responding to a data breach:
It is important to remember that the steps taken during a breach response can have long-term consequences, so it is crucial to act quickly and effectively to minimize damage and protect sensitive information.
Data breach responses can be successful or unsuccessful. The first step to effectively responding is having a plan ready in advance, as well as resources available when you need them. Not having a plan will lead to extended problems and increased costs of incident response. Here are several real life examples of successful data breach response efforts:
The recent news about the Chinese hackers who stole information from hundreds of companies has been all over the news, but not everyone is aware that many other similar cyber attacks on large organizations preceded this attack. In some cases, as in the case of McAfee and its employees, after being hacked they paid a $100m ransom in bitcoins to obtain back their stolen data. Unfortunately, we are still far away from having a real-time electronic defense that can ensure 100% protection against such attacks. Even if these attacks were detected earlier than they actually happened, it would take an extended period of time for their damage to be fully assessed or mitigated. In other words, cyber security awareness at all levels will always be an issue that requires serious attention so it does not happen again in the future.
Unlike other security threats, data breaches are not always immediately obvious. In many cases companies don’t know they’ve been breached until well after the fact. Effective responses to these incidents can be difficult to predict, but there are a few key things that successful companies have in common. Data breaches are not a new phenomenon. They have been around for decades, and they continue to grow in number and severity. While no two data breaches are the same, there are several commonalities that can help predict how successful your company’s response will be.
Assumed Breach Assessment Case Study: Uncovering WeSecureApp’s Approach
Automation and Scalability in Red Team Assessments
Don’t Leave Your Security to Chance: The Importance of Zero Security
 
 
The post How to Prepare for a Data Breach before it Happens appeared first on WeSecureApp :: Simplifying Enterprise Security.
*** This is a Security Bloggers Network syndicated blog from WeSecureApp :: Simplifying Enterprise Security authored by Naimisha. Read the original post at: https://wesecureapp.com/blog/how-to-prepare-for-a-data-breach-before-it-happens/
More Webinars

source

The solution to reducing public sector cybercrime lies in finding trusted experts, like Firstserv, to provide managed solutions and secure cloud hosting including disaster recovery, managed backups, and server monitoring.
Public sector cybercrime has been particularly dramatic over the last year. The digital skills gap, home working, multiple device access and a lack of cyber awareness in employees have all contributed to increased cyber risk. Due to its size, the number of systems utilised, numerous locations and the number of employees, the NHS is particularly vulnerable. In January this year, Firstserv rescued an NHS Foundation Trust after their skills gap left them defenceless.
In December 2021, the Trust had a robust Intrusion Detection and Prevention System (IDS/IPS) solution installed, but it was never used. The in-house IT team lacked the skills to onboard the key infrastructure configuration.
With the system sitting dormant, the Trust was unable to identify attacks and techniques. Their employees were not knowledgeable enough to spot them.
It was a high-risk situation, as malicious traffic could go undetected leading to attacks.
The costs are threefold and often underestimated. Resolving the issue once the attack has happened is expensive. Preventative measures in the form of server monitoring and other managed solutions are more budget-friendly.
Depending on the type of breach, General Data Protection Regulation’s (GDPR) non-compliance fines can be up to €10 million, or 2% annual global turnover – whichever is greater; or up to €20 million, or 4% annual global turnover – whichever is greater.
“Each individual cyber-attack is estimated to cost an average of between £4,200 to £19,400 and that doesn’t include potential fines for not protecting data efficiently.”
In addition to this, the reputational damage that results from a serious data breach can be crippling.
At the end of January, this year, the Trust suffered from a Distributed Denial-of-Service (DDoS) attack on its main trust server. Without the necessary knowledge and skills to protect themselves, they were powerless to stop it and contacted Firstserv for help.
The immediate corrective action taken to mitigate the attack was to increase resources on the main firewall. Once this was done, the existing IDS/IPS solution was properly configured to prevent future attacks.
Firstserv is continuing to work with the NHS Foundation Trust’s IT department to build its in-house cyber security skills and awareness. This will enable it to take a more active role in owning its own security posture, ensuring it continues to make full use of its Cloud infrastructure.
Due to its internal skills gap, the Trust is also looking to implement Firstserv’s High Availability Solution and outsource management of servers and system infrastructure to the expertise of the Firstserv team.
So, how can you mitigate the risks? Firstserv’s CEO, Sebastian, shares the Top 5 ways to fight public sector cybercrime:
Cloud security provides multiple levels of control within a network infrastructure. It gives you continuity and protection for cloud-based assets like websites and web applications. Businesses need to ensure their chosen cloud security provider provides DDoS protection, high availability, data security, and regulatory compliance.
Keep your business operating without interruption as your IT security staff deals with vulnerabilities and cyberattacks. By providing multiple paths for traffic, any downtime you suffer won’t leave data vulnerable.
The issue can be isolated and resolved far more efficiently. It is essential to maintain redundancy for cybersecurity and successful compliance audits.
The digital skills gap and lack of cyber awareness among employees make them key targets for attackers. Strategies include phishing scams and malware-containing emails.
By decentralising your network and segmenting it into smaller, sub-networks you add an extra layer of protection for your organisation. Even if a hacker successfully breaks into one segment of the network, they won’t be able to access everything. The threat can be isolated and successfully removed.
To ensure cyber resilience, all platforms and data hosted in the cloud should have fine-tuned access restrictions. Firstserv can provide you with easy-to- configure control and tools including:
No cyber security strategy can provide 100% protection which is why Firstserv offers robust 24/7 monitoring of your hardware and software. Hackers are more sophisticated with each day, and this threat can never be eliminated but a proactive monitoring solution is crucial to reduce your vulnerability.
We need a cyber-resilient public sector. If you need help to ensure your protection is good enough, email Sebastian Tyc at Firstserv on styc@firstserv.com.
Sebastian Tyc is Firstserv’s Managing Director, ensuring their high availability solution is made available to all public sector organisations.
Save my name, email, and website in this browser for the next time I comment.


Δ

source

SAN ANGELO, Texas — The Abilene Police Department Cyber Crimes Unit assisted the Department of Homeland Security office in San Angelo in the arrest of nine individuals from various locations for crimes against children.
The multi-agency operation that included the Texas Department of Public Safety, the Federal Bureau of Investigation, the U.S. Air Force and other area law enforcement agencies, targeted suspects seeking to engage in sexual contact with minors in the San Angelo area.
According to a APD press release, the two-day operation is the type of operation that the Abilene Cyber Crimes Unit assists with on a regular basis. These operations seeks to bring to justice individuals who target the most vulnerable population through the internet and social media applications.
Next up in 5
Example video title will go here for this video

In Other News
Notifications can be turned off anytime in the browser settings.

source

On February 21, 2023, Emtec, Inc. filed notice of a data breach with several state attorney general offices, including those in Maine and Texas, after determining that confidential consumer information was leaked following a cyberattack. Based on the company’s official filing, the incident resulted in an unauthorized party gaining access to consumers’ names, addresses, Social Security numbers, driver’s license numbers, financial account information and protected health information. After confirming that consumer data was leaked, Emtec began sending out data breach notification letters to the 7,637 individuals who were impacted by the recent data security incident.
If you were an employee or contractor who did business with Emtec, the recent data breach may have resulted in your personal information being exposed to potential criminals. As we’ve discussed in prior posts, data breaches like these dramatically increase your risk of identity theft and other frauds. Therefore, as a data breach victim, it is important you understand what you can do to mitigate these risks. Depending on the outcome of the pending investigation into the Emtec breach, you may also be able to hold the company accountable for its role in leaking your information.
The available information regarding the Emtec breach comes from the company’s filings with the attorney general offices in Maine and Texas. According to these sources, Emtec recently learned of a possible cyberattack. While the company did not provide the exact date it learned of the potential intrusion, in response, the company worked with law enforcement and a third-party forensics firm to determine the nature and scope of the incident.
On January 17, 2023, the Emtec investigation confirmed that an unauthorized party had gained access to the company’s computer network on September 7, 2022, which was terminated on September 14, 2022. It was also determined that some of the files that were accessible to the unauthorized party contained confidential consumer information.
Upon discovering that sensitive consumer data was made available to an unauthorized party, Emtec began to review the affected files to determine what information was compromised and which consumers were impacted. While the breached information varies depending on the individual, it may include your name, address, Social Security number, driver’s license number, financial account information and protected health information.
On February 17, 2023, Emtec sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident. In total, the Emtec data breach affected 7,637 individuals.
Emtec, Inc. is an IT consulting firm based in Jacksonville, Florida. The company provides a wide range of services, including strategy, planning and process improvements; marketing analytics; customer experience improvement; digital strategy consulting; cybersecurity; Oracle consulting and Salesforce consulting. Emtec operates locations in Florida, Alabama, Illinois, Pennsylvania, Toronto, Ontario and India. Emtec employs more than 1,000 people and generates approximately $204 million in annual revenue.
See more »
DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Console and Associates, P.C. | Attorney Advertising
Refine your interests »
Back to Top
Explore 2023 Readers’ Choice Awards
Copyright © JD Supra, LLC

source