Category: Uncategorized

source

By Neal Weinberg
Contributing writer, CSO |
In theory, enterprises should not only have security measures in place to prevent a data breach but should also have detailed plans for a response in the event of a breach. And they should periodically conduct drills to test those plans.
Industry-wide best practices for incident response are well established. “In general, you want breach responses to be fairly timely, transparent, communicate with victims in a timely manner, prevent further harm to victims as best as they can do that, and tell stakeholders what they are doing to mitigate future attacks,” says Roger Grimes, data-driven defense evangelist at KnowBe4.
However, as former heavyweight fighter Mike Tyson once said, “Everyone has a plan until they get punched in the mouth.” In other words, when a company gets hit with a serious data breach, the best-laid plans often go out the window.
Over the past few years, there have been numerous examples of high-profile data breaches that severely impacted the company’s fortunes. Think Equifax, Sony, and SolarWinds. Here are some recent examples of the best and worst responses to data breaches, based on the criteria cited above.
It’s bad enough when you fail to enforce basic cybersecurity practices such as cutting off an employee’s access to sensitive customer data when that employee leaves the company. But how about discovering a breach in December 2021 and not disclosing that fact until it comes out in an April 2022 filing with the US Securities and Exchange Commission (SEC)?
That was the scenario at Block, the financial services company that owns mobile payment vendor Cash App. The SEC filing said an employee who had regular access to customer account data while employed at the company, accessed those reports “without permission after their employment ended.” 
According to Block, the downloaded data of 8.2 million customers did not include usernames, passwords, Social Security numbers, or bank account information. It did include full names and brokerage account numbers, which are used to identify a user’s stock activity on Cash App Investing. The breached information “included brokerage portfolio value, brokerage portfolio holdings and/or stock trading activity for one trading day.” Block hasn’t fully explained how the breach happened or why it took so long to go public.
Not surprisingly, investors filed a class-action lawsuit in August 2022 seeking damages due to Block’s “negligent” behavior. The suit alleges that some customers have had unauthorized charges made against their accounts and points out that Cash App’s delay in notifying users of the breach caused additional harm to customers that “they otherwise could have avoided had a timely disclosure been made.”
The suit goes on to assert that the notice to data breach victims was “not just untimely but woefully deficient.” The allegations have not been proven in court. Block didn’t offer details regarding how the former employee was able to access customer information, whether the data was encrypted, or how Block learned about the breach. Block has also failed to offer any credit or identity theft monitoring services to those whose information was compromised.
We’ve become accustomed to hackers targeting schools and hospitals, but cybercriminals hit a new low when they conducted a sophisticated attack against the Red Cross in late 2021. The attackers accessed a database that contained names, addresses, and contact information for 515,000 people separated from their families by war and natural disasters.
The Red Cross responded with outrage. Robert Mardini, ICRC’s director-general, called the attack an “affront to humanity.” The agency publicly pleaded with the hackers not to use the information. Beyond that, the Red Cross response was swift, transparent, and comprehensive.
The agency quickly posted a lengthy FAQ on its website that described the hack and the response. The Red Cross immediately took the compromised servers offline and only relaunched the Restoring Family Links service after deploying enhanced security measures such as two-factor authentication and advanced threat detection, then conducting external penetration tests.
In addition, the Red Cross made extraordinary efforts to contact people who might have been affected, including phone calls, hotlines, public announcements, letters, and in some cases sending teams to remote communities to inform people in person.
The agency posted a detailed description of the hack itself, which was first discovered by a cyber security consultant working for the agency, who spotted an anomaly on ICRC servers. An investigation determined that the breach occurred on November 9, 2021, so hackers were inside the agency’s systems for more than two months before being detected.
Essentially, the attackers exploited an unpatched critical vulnerability in an authentication module. This enabled the hackers to compromise administrator credentials, conduct lateral movements, and exfiltrate registry hives and Active Directory files. The hackers disguised themselves as legitimate users or administrators, which allowed them to access the data, which was encrypted.
“We determined the attack to be targeted because the attackers created a piece of code designed purely for execution on the targeted ICRC servers. The tools used by the attacker explicitly referred to a unique identifier on the targeted servers (its MAC address),” according to the Red Cross. The agency also fessed up to its mistake: “The timely application of critical patches is essential to our cyber security, but unfortunately, we did not apply this patch in time before the attack took place.”
The Red Cross has continued to issue updates and according to the latest information: “We have not had any contact with the hackers and no ransom ask has been made. To our knowledge, the information has not been published or traded.”
When it comes to data breaches, is there a sliding scale? In other words, if a tiny school district gets hit with a ransomware attack, do we give the IT team a partial pass because they probably lack the resources and skill level of a more tech-savvy company? On the other hand, if a company whose entire business model is based on protecting user passwords gets hacked, do we judge them more harshly?
Which brings us to LastPass, which experienced an embarrassing breach that was first announced in August 2022 as simply a minor incident confined to the application development environment. By December that breach had spread to customer data including company names, end-user names, billing addresses, email addresses, telephone numbers, and IP addresses.
LastPass gets high marks for transparency. The company continued to issue public updates following the initial August announcement. But each update raised questions about the accuracy of prior statements and called into question some basic security processes employed by LastPass.
The saga began on August 25, 2022, when LastPass CEO Karim Toubba announced that the company detected unusual activity within the LastPass development environment, but added, “We have seen no evidence that this incident involved any access to customer data or encrypted password vaults.” LastPass said the attacker stole some source code but assured customers that the breach was contained and that there was “no further evidence of unauthorized activity.”  
On November 30, LastPass issued an update saying the hacker, using information gained in the August incident, was in fact able to gain access to customer information stored in a backup cloud service. Again, LastPass assured customers that passwords were safely encrypted.
Then it got worse. On December 22, LastPass had to admit that the attacker used information stolen in August to target another employee in order to obtain credentials and keys which were used to access and decrypt customer data stored in the cloud-based backup. LastPass also had to admit that website URLs visited by customers were not encrypted.
LastPass assured customers that if they used the default master password that controls access to all of their other passwords, it would be virtually impossible for hackers to conduct brute-force attempts to discover it.
However, if a customer did not use the default password, then all bets are off. LastPass explained, “If your master password does not make use of the defaults, then it would significantly reduce the number of attempts needed to guess it correctly. In this case, as an extra security measure, you should consider minimizing risk by changing passwords of websites you have stored.” LastPass also told customers that the threat actor may also target customers with phishing attacks, credential stuffing, or other brute force attacks.
The company continued to keep customers informed about its mitigation efforts. LastPass decommissioned the hacked development environment and built a new one from scratch. It added additional logging and alerting capabilities to help detect any further unauthorized activity including a second line of defense with a leading managed endpoint detection and response vendor.
The damage may have been done, Grimes says. “LastPass had always said they protected customers’ stored data, but when that data was breached, it was revealed that while LastPass did possibly protect customers’ stored passwords, they did not protect customer login names, website links, and other customer-specific private information. This gives the hacker in possession of the information a complete map of the sites the user visits and what their logon names are. At the very least it could lead to customized spear phishing attacks that appear to be from websites the victim frequents. On top of that, the breach revealed that LastPass was still allowing weak master passwords.”
Managed cloud services provider Rackspace announced in December 2022 that it had been hit with a clever ransomware attack perpetrated by the PLAY cybercrime group. The attack locked up the hosted Microsoft Exchange accounts of 30,000 customers, who were unable to access their emails for several weeks.
The Rackspace response was swift. When the company became aware of the issue, it powered down and disconnected its Exchange environment. The company hired an external team from security vendor CrowdStrike to investigate what happened. Rackspace then announced that it was exiting the hosted Exchange business for good, and would help its customers migrate to Office 365. That’s pretty dramatic.
The CrowdStrike investigation revealed that Rackspace had installed one patch recommended by Microsoft to combat the ProxyNotShell exploit, but there was some confusion about whether a second patch was necessary. Rackspace did not install the second patch and the hackers were able to chain together two vulnerabilities in order to access the Exchange servers.
In an analysis of the breach, industry veteran Paul Robichaux said: “To their credit, Rackspace did pretty much everything right: they went public with the incident, hired a very well-known security firm (CrowdStrike) to help them clean up, and then published a postmortem discussing what happened.”
Here’s the timeline of the Zacks Investment Research breach that affected 820,000 customers: the breach lasted nine months, from November 2021 to August 2022. The company didn’t discover the breach until late December and didn’t notify customers until the end of January 2023.
To date, the company has not disclosed much, except to say that the breach involved names, addresses, phone numbers, email addresses, and passwords used for its website Zacks.com. Zacks did explain that the information comes from an older database of customers who signed up for a Zacks service between 1999 and 2005. The company said it blocked access to accounts with the compromised passwords, so customers would need new passwords. Zacks added that if customers use the same passwords on other websites, they should change those as well. The company will not be providing credit monitoring services to affected customers.
“A month to notify affected customers that their current passwords, which are often shared with other unrelated sites and services, seems a bit excessive,” Grimes says. “You would hope any breached company would notify affected customers within days and not take weeks to make an official announcement.”
Neal Weinberg is a freelance technology writer and editor.
Copyright © 2023 IDG Communications, Inc.
Copyright © 2023 IDG Communications, Inc.

source

On February 28, 2023, DISH Network, LLC filed a notice with the Securities and Exchange Commission reporting that a recent “cyber-security incident” may have compromised confidential information in the company’s possession. News of the DISH Network breach only recently surfaced, and the company appears to be in the midst of the investigation; however, the SEC notice confirms that the incident involved a successful ransomware attack that resulted in certain information on the DISH Network IT system being compromised.
If you are a customer or employee of DISH Network, news of the recent data breach is certainly cause for concern. As we’ve reported in previous posts, ransomware actors organize these attacks to obtain sensitive information that they can then use to extort a company, hoping to secure a hefty ransom payment. If the company refuses to pay a ransom, the hackers will often post the stolen information on the Dark Web for anyone to access. This greatly increases the likelihood of victims being targeted by identity thieves and other criminal actors. However, victims of ransomware attacks may have a legal claim against a company that negligently stored their sensitive information.
The available information regarding the DISH Network breach comes from the company’s filing with the SEC as well as secondary news reports. According to these sources, on February 23, 2023, DISH Network experienced a network outage affecting the company’s internal servers and IT system. In response, the company secured its systems and began working with cyber-security experts and outside advisors to determine the scope of the incident.
While the DISH Network investigation is still underway, on February 27, 2023, the company confirmed that the outage was due to a cybersecurity incident, which DISH Network described as a ransomware attack. However, because the investigation is ongoing, the company has not yet confirmed what data types were compromised in the recent breach.
On February 28, 2023, DISH Network filed an SEC form 8-K describing the incident. That same day, the company also posted notice of the incident on its website.
Founded in 1980, DISH Network, LLC is a television and cable company based in Englewood, Colorado. The company’s main service is satellite television; however, DISH also owns Boost Mobile, Sling TV, and Dish Wireless. DISH Network is publicly traded on the NASDAQ under the ticker symbol “DISH.” DISH Network employs more than 14,500 people and generates approximately $18 billion in annual revenue.
See more »
DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Console and Associates, P.C. | Attorney Advertising
Refine your interests »
Back to Top
Explore 2023 Readers’ Choice Awards
Copyright © JD Supra, LLC

source

Last year saw a massive spike in cybercrime, with some types of malicious digital activity rising by as much as 87%. It doesn’t bode well — but there were a couple of relative bright spots.
That information comes from a new report published by cybersecurity firm SonicWall. It makes for interesting reading, especially since one of the biggest rises came from an unusual source — and one of the most feared types of malware saw a hefty drop.
Among the statistics, SonicWall notes that there were 112.3 million attacks on Internet of Things (IoT) devices in 2022. That’s up from 60.1 million attacks in 2021 — an 87% increase. Worse, that figure is just an average, and SonicWall’s report explains that some regions were hit even harder, with North America experiencing a 145% explosion in IoT attacks last year. That large increase suggests cybercriminals are increasingly turning to IoT devices where they may have preferred other attack types in the past.
Another notable upsurge came to zero-day vulnerabilities. These are attacks that have been discovered by attackers before the exploited software vendor even knows about them, making them especially dangerous.
The number of zero-day threats active in the wild rose 150% in 2022, according to SonicWall; while the actual number does not seem huge (an increase from 14 to 35), each one could be potentially devastating since the vendor is not even aware of them, slowing down the time until a patch can be released.
There were a handful of more positive notes sounded in the report. For instance, encrypted attacks — those hidden using secure networks — fell 28%, from 10.1 million to 7.3 million. But that disguises some eyebrow-raising figures, including the claim that encrypted attacks on governments spiked an enormous 887%. While the number of governmental attacks may be low overall (helping to produce the massive percentage rise), the increasing sophistication of those malware strikes is concerning.
What about ransomware? The good news is that usage of this notorious tactic dropped 21% compared to 2021. The bad news is that the 493.3 million ransomware attacks were higher than the figures recorded in 2017, 2018, 2019, and 2020, meaning it is far from irrelevant.
While there were drops in some areas, the overall picture is of an increasing threat level from cybercrime. Most categories of attack, from cryptocurrency-related PC hijacking to intrusion attempts, grew in number. The overall number of malware attacks hit 5.5 billion, up 2% from last year.
If those trends continue, 2023 could be a record-busting year for cybercrime. That means it’s more important than ever to outfit your computer with one of the best antivirus apps you can find and ensure you practice good digital security. Cybercrime may be on the rise, but you don’t have to fall victim to it.
It’s been a bad few months for password managers — albeit mostly just for LastPass. But after the revelations that LastPass had suffered a major breach, attention is now turning to open-source manager KeePass.
Accusations have been flying that a new vulnerability allows hackers to surreptitiously steal a user’s entire password database in unencrypted plaintext. That’s an incredibly serious claim, but KeePass’s developers are disputing it.
Hackers are well known to nab customer data held by companies, but obtaining the personal data of pretty much all of the residents of a single nation in one fell swoop takes the nefarious practice to a whole new level.
The remarkable feat was allegedly performed by a 25-year-old Dutch hacker who, when arrested by police, had in his possession personal data linked to pretty much every resident of Austria — about nine million people.
The cybersecurity breach that LastPass owner GoTo reported in November 2022 keeps getting worse as new details are revealed, calling into question the company’s transparency on this serious issue.
It has been two months since GoTo shared the alarming news that hackers stole the usernames, passwords, email addresses, phone numbers, IP addresses, and even billing information of LastPass users. In GoTo’s latest blog update, the company reported that several of its other products were compromised as well.
Upgrade your lifestyleDigital Trends helps readers keep tabs on the fast-paced world of tech with all the latest news, fun product reviews, insightful editorials, and one-of-a-kind sneak peeks.

source

Wednesday, March 01, 2023

West Virginia University recently was alerted of a data breach involving a limited amount of personal information being available on a public-facing website. 
On Nov. 25, 2022, WVU was notified that a website that was set up in December 2021 and used for software development contained WVU information that was inadvertently publicly accessible. Almost immediately, as of Nov. 28, 2022, all information on the website was deleted from public view.
On Jan. 4, 2023, during the course of the University’s investigation, it was discovered that a document containing a listing of patient file names also was inadvertently accessible on the website and downloaded by external parties.
No Social Security numbers, personal financial information, dates of birth, home addresses, account numbers, passwords or any other information that could be used for identity theft purposes were involved.
The unsecured information in the document was limited to a file name with patients’ first and last names and one of the following:

Only the file name was disclosed and not the contents of the file or patient medical records. 
The document did not link back to patients’ actual medical files, which are maintained and protected in an encrypted file server accessible only by authorized individuals who provide clinical, academic or administrative services to patients.
WVU is conducting a thorough review of its information security and privacy policies to ensure incidents such as this one do not happen in the future. At this time, the University has no indication that the personal information of patients has been misused.

WVU is providing notifications, including additional resources and instructions for safeguarding information, to the individuals personally affected by this data breach.
Although no sensitive financial or personal information was disclosed, patients involved in this incident are encouraged to monitor their personal records to ensure there is no suspicious use or misuse of their information.
Additional information can be found at go.wvu.edu/HSC-Data-Incident.
Patients who have questions or concerns about this incident are asked to contact the WVU Health Sciences Risk Management and Privacy Office toll-free at 1-888-825-1401 (8:15 a.m. to 4:45 p.m.).
-WVU-
bb/03/01/23

MEDIA CONTACT: Shauna Johnson
Director of News Communications
University Relations
304-293-8302; sjohns13@mail.wvu.edu 
Call 1-855-WVU-NEWS for the latest West Virginia University news and information from WVUToday.
Follow @WVUToday on Twitter.
© 2023 West Virginia University. WVU is an EEO/Affirmative Action employer — Minority/Female/Disability/Veteran. Last updated on March 1, 2023.

source

SUNY Oswego has been made aware that our third-party vendor for campus event ticketing “AudienceView” (formerly known as “University Tickets”) has experienced a security breach. If you used a credit card to purchase tickets through tickets.oswego.edu during February 2023, this message contains important information and action for you to take.

AudienceView has shared that this breach, which is being felt nationwide (including at many higher education institutions), is impacting individuals who used the system to purchase tickets online for university-sponsored events since early February 2023. Ongoing investigation into the matter reveals that information breached from AudienceView’s system includes personal credit card payment information.  

In response to this nationwide breach that is affecting the SUNY Oswego community, Campus Technology Services (CTS) and the SUNY Oswego ticket office have initiated an information security incident to evaluate the scope of the third-party data breach and its impact on members of our campus community. Our team is actively working with AudienceView, along with other partners, to investigate this matter. Out of an abundance of caution, SUNY Oswego has suspended all ticket sales via tickets.oswego.edu, effective immediately.  

If you purchased tickets for university events through tickets.oswego.edu this month, please be aware that you may receive a communication from AudienceView. AudienceView will be notifying those impacted by this breach via email with information and instructions. Please review this email carefully.

In addition, we strongly encourage anyone who has purchased tickets through tickets.oswego.edu since early February 2023, to check your credit card statements immediately; contact your banking institution regarding any suspicious transactions; and report the suspicious transactions to University Police or your local police department.

Further details will be provided as they become available.
7060 State Route 104
Oswego, NY 13126-3599
315.312.2500
7060 State Route 104
Oswego, NY 13126-3599
315.312.2500
© State University of New York at Oswego

source

Is Healthcare Cybersecurity Getting Worse?
Despite a minor decrease in the number of attacks against healthcare organizations from 2021 (715 breaches) to 2022 (707 breaches) the severity of attacks by records compromised, continued to increase.
The breach of OneTouchPoint Inc. saw 4,112,892 records compromised. It was the largest healthcare data breach of 2022 and the 9th largest of all time. The breach of Advocate Aurora Health saw more than 3 million patients’ data compromised. It was the 2nd largest healthcare breach of 2022 and the 10th largest of all time.
Other study results indicated that:
Third-party Vendors a Primary Cause of Healthcare Data Breaches
The report found that insecure third party vendors were a consistent cause of high impact data breaches. Both the worst healthcare breach of 2022, and the second worst of all-time came as a result of Business Associates failing to properly secure patient information.
Dark Web Incentivizing Healthcare Cyberattackers
The report found that patients healthcare data obtained through cyberattacks is most commonly sold. On the dark web, an individual healthcare record can be worth as much as $250. According to the report’s author Aaron Weissman, “A complete medical record contains all of a someone’s personal identifying information. That information can be used to register identification documents or apply for credit cards. Even incomplete medical records can be aggregated with other stolen information to create a complete individual identity profile.”
Basic Cybersecurity Practices Lacking in Healthcare
The report challenges the narrative that the increasing severity of cyberattacks is a result of the increasing sophistication of malicious actors. In many of the worst data breaches on record, investigators found that even basic cybersecurity practices were lacking.
In the worst healthcare breach of all time, investigators cited “a lax credential management policy and a lack of a risk management program” as a causal factor in the attack. The second largest healthcare data breach of all time, was “determined to have occurred because of the lack of a cybersecurity program.”
To see the complete findings, including a full breakdown of the largest healthcare breaches by records stolen, and damage incurred, with full color charts, please see visit the study here.
About Network Assured
Network Assured is a free, independent advisory that helps businesses price cybersecurity services, perform due diligence, and find better vendors. Learn more at www.NetworkAssured.com.
Copyright © 2023 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG.

source

Image: Shutterstock.com
Three different cybercriminal groups claimed access to internal networks at communications giant T-Mobile in more than 100 separate incidents throughout 2022, new data suggests. In each case, the goal of the attackers was the same: Phish T-Mobile employees for access to internal company tools, and then convert that access into a cybercrime service that could be hired to divert any T-Mobile user’s text messages and phone calls to another device.
The conclusions above are based on an extensive analysis of Telegram chat logs from three distinct cybercrime groups or actors that have been identified by security researchers as particularly active in and effective at “SIM-swapping,” which involves temporarily seizing control over a target’s mobile phone number.
Countless websites and online services use SMS text messages for both password resets and multi-factor authentication. This means that stealing someone’s phone number often can let cybercriminals hijack the target’s entire digital life in short order — including access to any financial, email and social media accounts tied to that phone number.
All three SIM-swapping entities that were tracked for this story remain active in 2023, and they all conduct business in open channels on the instant messaging platform Telegram. KrebsOnSecurity is not naming those channels or groups here because they will simply migrate to more private servers if exposed publicly, and for now those servers remain a useful source of intelligence about their activities.
Each advertises their claimed access to T-Mobile systems in a similar way. At a minimum, every SIM-swapping opportunity is announced with a brief “Tmobile up!” or “Tmo up!” message to channel participants. Other information in the announcements includes the price for a single SIM-swap request, and the handle of the person who takes the payment and information about the targeted subscriber.
The information required from the customer of the SIM-swapping service includes the target’s phone number, and the serial number tied to the new SIM card that will be used to receive text messages and phone calls from the hijacked phone number.
Initially, the goal of this project was to count how many times each entity claimed access to T-Mobile throughout 2022, by cataloging the various “Tmo up!” posts from each day and working backwards from Dec. 31, 2022.
But by the time we got to claims made in the middle of May 2022, completing the rest of the year’s timeline seemed unnecessary. The tally shows that in the last seven-and-a-half months of 2022, these groups collectively made SIM-swapping claims against T-Mobile on 104 separate days — often with multiple groups claiming access on the same days.
The 104 days in the latter half of 2022 in which different known SIM-swapping groups claimed access to T-Mobile employee tools.
KrebsOnSecurity shared a large amount of data gathered for this story with T-Mobile. The company declined to confirm or deny any of these claimed intrusions. But in a written statement, T-Mobile said this type of activity affects the entire wireless industry.
“And we are constantly working to fight against it,” the statement reads. “We have continued to drive enhancements that further protect against unauthorized access, including enhancing multi-factor authentication controls, hardening environments, limiting access to data, apps or services, and more. We are also focused on gathering threat intelligence data, like what you have shared, to help further strengthen these ongoing efforts.”
While it is true that each of these cybercriminal actors periodically offer SIM-swapping services for other mobile phone providers — including AT&T, Verizon and smaller carriers — those solicitations appear far less frequently in these group chats than T-Mobile swap offers. And when those offers do materialize, they are considerably more expensive.
The prices advertised for a SIM-swap against T-Mobile customers in the latter half of 2022 ranged between USD $1,000 and $1,500, while SIM-swaps offered against AT&T and Verizon customers often cost well more than twice that amount.

To be clear, KrebsOnSecurity is not aware of specific SIM-swapping incidents tied to any of these breach claims. However, the vast majority of advertisements for SIM-swapping claims against T-Mobile tracked in this story had two things in common that set them apart from random SIM-swapping ads on Telegram.
First, they included an offer to use a mutually trusted “middleman” or escrow provider for the transaction (to protect either party from getting scammed). More importantly, the cybercriminal handles that were posting ads for SIM-swapping opportunities from these groups generally did so on a daily or near-daily basis — often teasing their upcoming swap events in the hours before posting a “Tmo up!” message announcement.
In other words, if the crooks offering these SIM-swapping services were ripping off their customers or claiming to have access that they didn’t, this would be almost immediately obvious from the responses of the more seasoned and serious cybercriminals in the same chat channel.
There are plenty of people on Telegram claiming to have SIM-swap access at major telecommunications firms, but a great many such offers are simply four-figure scams, and any pretenders on this front are soon identified and banned (if not worse).
One of the groups that reliably posted “Tmo up!” messages to announce SIM-swap availability against T-Mobile customers also reliably posted “Tmo down!” follow-up messages announcing exactly when their claimed access to T-Mobile employee tools was discovered and revoked by the mobile giant.
A review of the timestamps associated with this group’s incessant “Tmo up” and “Tmo down” posts indicates that while their claimed access to employee tools usually lasted less than an hour, in some cases that access apparently went undiscovered for several hours or even days.
How could these SIM-swapping groups be gaining access to T-Mobile’s network as frequently as they claim? Peppered throughout the daily chit-chat on their Telegram channels are solicitations for people urgently needed to serve as “callers,” or those who can be hired to social engineer employees over the phone into navigating to a phishing website and entering their employee credentials.
Allison Nixon is chief research officer for the New York City-based cybersecurity firm Unit 221B. Nixon said these SIM-swapping groups will typically call employees on their mobile devices, pretend to be someone from the company’s IT department, and then try to get the person on the other end of the line to visit a phishing website that mimics the company’s employee login page.
Nixon argues that many people in the security community tend to discount the threat from voice phishing attacks as somehow “low tech” and “low probability” threats.
“I see it as not low-tech at all, because there are a lot of moving parts to phishing these days,” Nixon said. “You have the caller who has the employee on the line, and the person operating the phish kit who needs to spin it up and down fast enough so that it doesn’t get flagged by security companies. Then they have to get the employee on that phishing site and steal their credentials.”
In addition, she said, often there will be yet another co-conspirator whose job it is to use the stolen credentials and log into employee tools. That person may also need to figure out how to make their device pass “posture checks,” a form of device authentication that some companies use to verify that each login is coming only from employer-issued phones or laptops.
For aspiring criminals with little experience in scam calling, there are plenty of sample call transcripts available on these Telegram chat channels that walk one through how to impersonate an IT technician at the targeted company — and how to respond to pushback or skepticism from the employee. Here’s a snippet from one such tutorial that appeared recently in one of the SIM-swapping channels:
“Hello this is James calling from Metro IT department, how’s your day today?”
(yea im doing good, how r u)
i’m doing great, thank you for asking
i’m calling in regards to a ticket we got last week from you guys, saying you guys were having issues with the network connectivity which also interfered with [Microsoft] Edge, not letting you sign in or disconnecting you randomly. We haven’t received any updates to this ticket ever since it was created so that’s why I’m calling in just to see if there’s still an issue or not….”
The TMO UP data referenced above, combined with comments from the SIM-swappers themselves, indicate that while many of their claimed accesses to T-Mobile tools in the middle of 2022 lasted hours on end, both the frequency and duration of these events began to steadily decrease as the year wore on.

T-Mobile declined to discuss what it may have done to combat these apparent intrusions last year. However, one of the groups began to complain loudly in late October 2022 that T-Mobile must have been doing something that was causing their phished access to employee tools to die very soon after they obtained it.
One group even remarked that they suspected T-Mobile’s security team had begun monitoring their chats.
Indeed, the timestamps associated with one group’s TMO UP/TMO DOWN notices show that their claimed access was often limited to less than 15 minutes throughout November and December of 2022.
Whatever the reason, the calendar graphic above clearly shows that the frequency of claimed access to T-Mobile decreased significantly across all three SIM-swapping groups in the waning weeks of 2022.
T-Mobile US reported revenues of nearly $80 billion last year. It currently employs more than 71,000 people in the United States, any one of whom can be a target for these phishers.
T-Mobile declined to answer questions about what it may be doing to beef up employee authentication. But Nicholas Weaver, a researcher and lecturer at University of California, Berkeley’s International Computer Science Institute, said T-Mobile and all the major wireless providers should be requiring employees to use physical security keys for that second factor when logging into company resources.
A U2F device made by Yubikey.
“These breaches should not happen,” Weaver said. “Because T-Mobile should have long ago issued all employees security keys and switched to security keys for the second factor. And because security keys provably block this style of attack.”
The most commonly used security keys are inexpensive USB-based devices. A security key implements a form of multi-factor authentication known as Universal 2nd Factor (U2F), which allows the user to complete the login process simply by inserting the USB key and pressing a button on the device. The key works without the need for any special software drivers.
The allure of U2F devices for multi-factor authentication is that even if an employee who has enrolled a security key for authentication tries to log in at an impostor site, the company’s systems simply refuse to request the security key if the user isn’t on their employer’s legitimate website, and the login attempt fails. Thus, the second factor cannot be phished, either over the phone or Internet.
Nixon said one confounding aspect of SIM-swapping is that these criminal groups tend to recruit teenagers to do their dirty work.
“A huge reason this problem has been allowed to spiral out of control is because children play such a prominent role in this form of breach,” Nixon said.
Nixon said SIM-swapping groups often advertise low-level jobs on places like Roblox and Minecraft, online games that are extremely popular with young adolescent males.
“Statistically speaking, that kind of recruiting is going to produce a lot of people who are underage,” she said. “They recruit children because they’re naive, you can get more out of them, and they have legal protections that other people over 18 don’t have.”
For example, she said, even when underage SIM-swappers are arrested, the offenders tend to go right back to committing the same crimes as soon as they’re released.
In January 2023, T-Mobile disclosed that a “bad actor” stole records on roughly 37 million current customers, including their name, billing address, email, phone number, date of birth, and T-Mobile account number.
In August 2021, T-Mobile acknowledged that hackers made off with the names, dates of birth, Social Security numbers and driver’s license/ID information on more than 40 million current, former or prospective customers who applied for credit with the company. That breach came to light after a hacker began selling the records on a cybercrime forum.
In the shadow of such mega-breaches, any damage from the continuous attacks by these SIM-swapping groups can seem insignificant by comparison. But Nixon says it’s a mistake to dismiss SIM-swapping as a low volume problem.
“Logistically, you may only be able to get a few dozen or a hundred SIM-swaps in a day, but you can pick any customer you want across their entire customer base,” she said. “Just because a targeted account takeover is low volume doesn’t mean it’s low risk. These guys have crews that go and identify people who are high net worth individuals and who have a lot to lose.”
Nixon said another aspect of SIM-swapping that causes cybersecurity defenders to dismiss the threat from these groups is the perception that they are full of low-skilled “script kiddies,” a derisive term used to describe novice hackers who rely mainly on point-and-click hacking tools.
“They underestimate these actors and say this person isn’t technically sophisticated,” she said. “But if you’re rolling around in millions worth of stolen crypto currency, you can buy that sophistication. I know for a fact some of these compromises were at the hands of these ‘script kiddies,’ but they’re not ripping off other people’s scripts so much as hiring people to make scripts for them. And they don’t care what gets the job done, as long as they get to steal the money.”
This entry was posted on Tuesday 28th of February 2023 11:14 AM
I’ve been a T-Mobile customer for years. It took me about 10 minutes way back when to figure out they were under the magic spell of social engineers. Germans who know about Max Planck know he played a dangerous game and paid dearly, nothing new there. I was eventually “forced” into a Smart Phone by the demise of 3G but get weekly nags to fully install my OS. That’s not what Max Planck would do.
Sounds more like your phone needs security updates, which otherwise leaves your device vulnerable to various malware & hacks
“A new scientific truth does not triumph by convincing its opponents and making them see the light, but rather because its opponents eventually die and a new generation grows up that is familiar with it” – Max Planck
Brian, didn’t you say once that there is somewhere we can register to essentially freeze our SIM card, so to speak, like you put a freeze on your credit reports with the big 3 (4) credit bureaus. I vaguely remember the report and you saying that putting a freeze on your credit reports doesn’t likewise protect the SIM card/mobile number, so you had to put a separate freeze with a different company. What is that company, and do all mobile carriers honor that freeze?
Or am I totally misremembering that article and there’s no comparable freeze mechanism to prevent SIM swaps?
It’s called a NOPORT. You must call T-Mobile and ask them to enable NO PORT on your number. If the agent doesn’t know what you’re talking about, end the call and call again to get an agent that does.
Verizon calls it Number Lock, you can enable it in the phone app and I believe on the website. You don’t need to talk to a person to turn it on.
No need to call in, you can do this from t-mobile account settings > privacy > sim lock.
Can you please give more detail on how to do this? I can’t find it in the settings.
Select Account then Privacy & Notifications, then SIM Protection, then enable it.
Just checked my T-Mo accounts & discovered that the SIM protection feature had somehow been turned OFF, who knows when, but definitely by T-Mo.
I know that I turned it on as soon as that option was available to customers so beware & double check if you have previously used this security feature.
Very important not to confuse with another setting in the general phone settings called “SIM card lock”. This particular setting does NOT prevent a SIM swap.
@Brian
> employee-issued phones or laptops
That should be *employer-issued*
You can and probably should take advantage of whatever protections are offered by the phone companies. But it’s important to point out that if an employee can put these restrictions in place, a phished (or collusive) employee can undo that in a second.
You forgot to mention another vector for SIM swapping, rouge cell service employees trying to make a quick buck by trying to take advantage of the company they work for . Another real good read !
Thank you for the NOPORT term. good to know the specific ask. Hope this would prevent t-mobile insiders from sim-swapping but given t-mobiles security stance, I have no such hope and left t-mobile in disgust some time ago since they really don’t care about breaches or such, 80 BILLION revenue allows for many settlements and still walk away fat. Brian has done a great job illustrating the ramification of sim swaps. ouch!
T-Mobile account login has a serious flaw when it comes to MFA. You can set up your account to use TOTP. But you are still presented with the option to use SMS for 2FA at every login.
There is no way to disable the SMS option.
This is a shortcoming of a lot of 2FA systems. Seemingly they provide little protection because you can’t limit it to just one system, and eventually it will even lead into security questions to allow a log in.
Not everywhere.
Azure AD does not have fallback.
Fallbacks has to be designed into the solution
Unfortunately I just discovered this. I thought I was helping to secure my T-Mobile account by implementing Google Authenticator. Then I discover that there’s no way to disable the SMS option. What the heck! Isn’t there a single Cyber Security engineer at T-Mobile who says “Wait, this is moronic.”
This is exactly what you get with dumbo CISOs with MBA and other unrelated disciplines.
Like going to have a surgery with an attorney.
Most US companies are like this. It’s not going to change because there is no skilled labor with needed skills in Cybersecurity in the US.
FYI. There is more info on defensive steps for SIM swaps here
http://www.defensivecomputingchecklist.com/simswap.php
And, some info on avoiding ads from the cell companies here
http://www.defensivecomputingchecklist.com/cell.phone.companies.php
honestly at this point they should just change their name to t-morrowwellgethackedagain
U2F can provide a fairly high level of security to the authentication process. But proper implementation is critical. Implementation of some backup factor is a very good idea, but frequently leads to the weak link. As “vaadu” noted in their comment above, T-mobile has implemented SMS as a backup to TOTP and has introduced a weaker link though SMS. That essentially makes TOTP of no use since the weaker SMS is always available. They could do the same to a U2F implementation.
I have a primary and backup U2F keys which are both USB and NFC interfaced. There are precious few location where I can use U2F though. I use gmail, google voice, and have a family domain with google workspace where I use them. AT&T wireless uses SMS, so no go there. Outlook.com and Yahoo.com and a handful of others. Curiously, few financial institutions have implemented U2F, even worse most use SMS for 2FA.
Does TMO not use MFA and phishing just needs a username and password to get into their internal systems? Or how was MFA phished too?
“to social engineer employees over the phone into navigating to a phishing website and entering their employee credentials.”
It’s time to complain to your bank about not supporting FIDO2 (or at least TOTP).
Is there a list of banks that do? Complain with your feet/wallet.
Or complain to your bank, that could work. In some definition of work.
“Oh yes sir I agree sir, we’ll get right on that sir. Is there anything else?
Have you seen our new rewards gimmick account? Oh you have?”
Brian,
How does the new ESIM equate into this? Is it more likely to be breached or less likely?
Depends. All you need is QR code. 😉 Often no need to leave your house, no need to call anywhere. in Europe all you need is the victim’s account. They store passwords in plaintext. It’s bad bad.
I just now called Tmo 611 tech Patricia and found you need both NOPORT and SimProtect. NOPORT keeps anyone from porting your number to a carrier outside of TMo, but you also need SimProtect which keeps anyone from changing your Sim card serial number to a different Sim card serial to be used on a new phone remotely, which is how simswap scammers work. SimProtect at TMo requires in-person visit and ID presentation at TMo to get your phone number assigned to a new Sim card serial number provided there.
please delete my last name from my previous post I just made
Thanks for that my dear friends!
I just now called Tmo 611 tech Patricia and found you need both NOPORT and SimProtect. NOPORT keeps anyone from porting your number to a carrier outside of TMo, but you also need SimProtect which keeps anyone from changing your Sim card serial number to a different Sim card serial to be used on a new phone remotely, which is how simswap scammers work.
Monitor your colleague, spouse. retrieve social media passwords, DMV database, boost FICO and all forms of hacking with hackerspytech at g mail c o m
Can somebody tell me if in europe sim swapping is going on also or is this a specific US problem?
So T-Mobile is dropping auto-pay by credit card as of May 2023. To continue receiving the auto-pay discount on billing you have to replace the credit card with a debit card or a bank account.
How safe are these options in the next T-Mobile security breach?
Thank you for the NOPORT term. good to know the specific ask. Hope this would prevent t-mobile insiders from sim-swapping but given t-mobiles security stance, I have no such hope and left t-mobile in disgust some time ago since they really don’t care about breaches or such, 80 BILLION revenue allows for many settlements and still walk away fat. Brian has done a great job illustrating the ramification of sim swaps. ouch!
It is no fault, really, to know important information from selected targeted devices, attaining all variety communication access. Call logs, messages of both texts and social applications textlings, this is a possible method to providing essential answers for questions and doubts of spouse, tracking child safely, what so sever, there is many much more to view and control.
Your email address will not be published. Required fields are marked *
Comment *
Name *
Email *
Website


Δ
Mailing List
Search KrebsOnSecurity
Recent Posts
Spam Nation
A New York Times Bestseller!
Thinking of a Cybersecurity Career?
Read this.
All About Skimmers
Click image for my skimmer series.
Story Categories
The Value of a Hacked PC
Badguy uses for your PC
Badguy Uses for Your Email
Your email account may be worth far more than you imagine.
Most Popular Posts
Why So Many Top Hackers Hail from Russia
Category: Web Fraud 2.0
Innovations from the Underground
ID Protection Services Examined
Is Antivirus Dead?
The reasons for its decline
The Growing Tax Fraud Menace
File ’em Before the Bad Guys Can
Inside a Carding Shop
A crash course in carding.
Beware Social Security Fraud
Sign up, or Be Signed Up!
How Was Your Card Stolen?
Finding out is not so easy.
Krebs’s 3 Rules…
…For Online Safety.

source

By Apurva Venkat
Principal Correspondent, CSO |
Password management company LastPass, which was hit by two data breaches last year, has revealed that data exfiltrated during the first intrusion, discovered in August, was used to target the personal home computer of one of its devops engineers and launch a second successful cyberatttack, detected in November.
The threat actor involved in the breaches infected the engineer’s home computer with a keylogger, which recorded information that enabled a cyberattack that exfiltrated sensitive information from the company’s AWS cloud storage servers, LastPass said in a cybersecurity incident update Monday.
The company had divulged information about the data breaches last year; the update reveals for the first time that the same threat actor was responsible for both breaches.
The first intrusion ended on August 12 last year. However, LastPass now says that the threat actor was actively engaged in a new series of reconnaissance, enumeration, and exfiltration activity aimed at the company’s the cloud storage environment from August 12 to October 26, 2022. 
“The observed tactics, techniques, and procedures (TTPs), as well as the indicators of compromise (IOCs) of the second incident were not consistent with those of the first. While proximal in terms of timeline, it was not initially obvious that the two incidents were directly related,” LastPass said in its update. There has been no activity by the threat actor after October 26, the company added.
The developer whose home computer was infected with the keylogger was only one of four devops engineers in the company who had access to the decryption keys of encrypted Amazon S3 buckets.
“The threat actor was able to capture the employee’s master password as it was entered, after the employee authenticated with MFA, and gain access to the devops engineer’s LastPass corporate vault,” LastPass said. 
The threat actor then exported the native corporate vault entries and content of shared folders, which contained encrypted secure notes with access and decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups. 
The use of valid credentials made it difficult for the company’s investigators to detect the threat actor’s activity. 
In the first intrusion, in August, a software engineer’s corporate laptop was compromised, allowing the  threat actor to gain access to a cloud-based development environment and steal source code, technical information, and certain LastPass internal system secrets, LastPass CEO Karim Toubba said in a blog addressed to customers. 
No customer data or vault data was stolen during this incident, as LastPass did not have any customer or vault data in the development environment. 
“We declared this incident closed but later learned that information stolen in the first incident was used to identify targets and initiate the second incident,” Toubba said. 
During the first incident, the threat actor was able to access on-demand, cloud-based development and source code repositories of 14 out of 200 software repositories.
Internal scripts from the repositories — which contained company secrets and certificates as well as internal documentation including technical information that described how the development environment operated — were also accessed by the threat actor.
In the second incident, the threat actor used the information stolen in the first intrusion to target a senior devops engineer and exploit vulnerable third-party software to install a keylogger, Toubba said.  
The threat actor leveraged information from the keylogger malware, including the engineer’s credentials, to bypass and ultimately gain access to cloud backups. The data accessed from those backups included system configuration data, API secrets, third-party integration secrets, and encrypted and unencrypted customer data, the company said. 
The threat actor also accessed devops secrets including information used to gain access to cloud-based backup storage. Access to a backup of the LastPass multifactor authentication (MFA) and federation database that contained copies of the company’s authenticator seeds, telephone numbers used for MFA backup, as well as a split-knowledge component (the K2 “key”) used for LastPass federation, was also gained by threat actor, LastPass said. 
The identity of the threat actor and their motivation is unknown. There has been no contact or demands made, and there has been no detected credible underground activity indicating that the threat actor is actively engaged in marketing or selling any information obtained during either incident, LastPass said. 
 There have been several steps that LastPass has taken to strengthen its security in the wake of the incidents. “We invested a significant amount of time and effort hardening our security while improving overall security operations,” the CEO said. 
Some of this included assisting devops engineers with hardening the security of their home network and personal resources, rotating critical and high privilege credentials, and enabling custom analytics that can detect ongoing abuse of AWS resources. LastPass says it has  have millions of users and more than 100,000 businesses as customers. 

Apurva Venkat is principal correspondent for the India editions of CIO, CSO, and Computerworld.
Copyright © 2023 IDG Communications, Inc.
Copyright © 2023 IDG Communications, Inc.

source

Hi, what are you looking for?
News Corp says a threat group, previously linked to the Chinese government, had access to its systems for two years before the breach was discovered.
By
Flipboard
Reddit
Pinterest
Whatsapp
Whatsapp
Email
Media giant News Corp has disclosed new details about a data breach discovered last year and attributed to a state-sponsored threat actor.
In early 2022, News Corp revealed that hackers had managed to steal corporate data from its systems, but claimed that financial and customer information were not compromised. The incident was discovered in January 2022 and cybersecurity firm Mandiant was called in to assist with the investigation.
News Corp said at the time that the attack had been tied to a foreign government, and Mandiant clarified that it appeared to be the work of a Chinese group. 
The cyberattack hit News Corp headquarters, news operations in the UK, as well as News Corp-owned businesses such as The Wall Street Journal, Dow Jones, and New York Post.  
The media giant last week started sending out data breach notices to individuals whose data may have been compromised. Bleeping Computer was the first to spot the notification. 
The notification, a copy of which was submitted to authorities in Massachusetts, reveals that the hackers gained access to a business email and document storage system used by several News Corp businesses. 
The attackers had gained access to business documents and emails between February 2020 and January 2022. The compromised information came from a ‘limited number’ of personnel accounts on the affected system.
Some personal information may have been obtained by the attackers, including name, date of birth, Social Security number, passport number, driver’s license number, financial account information, health insurance details, and medical information. The company noted that not every type of information was compromised in each individual’s case. 
“Our investigation indicates that this activity does not appear to be focused on exploiting personal information. We are not aware of reports of identity theft or fraud in connection with this issue,” News Corp said.
However, the company has decided to offer 24 months of free identity protection and credit monitoring services to impacted individuals. 
Related: Pepsi Bottling Ventures Discloses Data Breach
Related: Patient Information Compromised in Data Breach at San Diego Healthcare Provider
Related: 20 Million Users Impacted by Data Breach at Instant Checkmate, TruthFinder

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.
Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.
Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.
Making threat intelligence actionable requires more than automation; it also requires contextualization and prioritization. (Marc Solomon)
Many of the most successful cybercriminals are shrewd; they want good ROI, but they don’t want to have to reinvent the wheel to get it. (Derek Manky)
Compliance and ZTNA are driving encryption into every aspect of an organization’s network and enterprise and, in turn, forcing us to change how we think about protecting our environments. (Matt Wilson)
Cyberattacks have exposed a myriad of vulnerabilities in our healthcare infrastructure, and will continue to do so as new and innovative medical technologies are developed. (Galina Antova)
Deepfakes are becoming increasingly popular with cybercriminals, and as these technologies become even easier to use, organizations must become even more vigilant. (Derek Manky)
Flipboard
Reddit
Pinterest
Whatsapp
Whatsapp
Email
Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.
LastPass DevOp engineer’s home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud…
GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.
A group of hackers has leaked Atlassian employee records and floorplans, information that was obtained from third-party workplace platform Envoy.
Instant Checkmate and TruthFinder have disclosed data breaches affecting a total of more than 20 million users.
AT&T is notifying millions of wireless customers that their CPNI was compromised in a data breach at a third-party vendor.
Companies affected by the recent Mailchimp data breach have started notifying customers. The list includes WooCommerce, FanDuel, Yuga Labs and the Solana Foundation.
Health services company Independent Living Systems has disclosed a data breach that impacts more than 4 million individuals.
Got a confidential news tip? We want to hear from you.
Reach a large audience of enterprise cybersecurity professionals
Subscribe to the SecurityWeek Daily Briefing and get the latest content delivered to your inbox.
Copyright © 2023 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

source