The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our intelligence specialists.
Customer data breach at WeLeakInfo: Over 24,000 customers’ payment data leaked.
Microsoft touchpoint: One-click mitigation tool, ransomware, and an unrelated outage.
New botnet appears: A new Mirai botnet variant is targeting security devices with public exploits.
Ongoing cyber espionage campaign: Telecommunications sector targeted.
SMS - MFA’s weakest link: SMS messages can be diverted for as little as USD 16.
GDPR violation: Vodafone Spain fined EUR 8.5m over data processing and consent practices.
Customer payment data leaked from WeLeakInfo
- The online service that sold access to more than 12 billion credentials has suffered a data breach. Payment information from 24,000 customers who paid to access the service has been leaked.
- The registration of one of the domains owned by WeLeakInfo expired. This was then registered by an adversary, who reset the password and consequently gained access to all the data.
Microsoft releases ProxyLogon mitigation tool and suffers an unrelated outage
- Microsoft released a one-click mitigation tool for its on-premise Exchange Server. The PowerShell script, which checks for vulnerabilities, prevents the initial vulnerability from being exploited and removes malicious artefacts. It is designed for SMEs without a dedicated security team.
- Ransomware groups and crypto-miners are also exploiting the ProxyLogon vulnerabilities. Now that the exploit is public, even script-kiddies have been able to launch damaging attacks.
- In an unrelated issue, Azure suffered a worldwide authentication outage on Monday. Microsoft said a configuration issue prevented customers from using numerous Microsoft applications, but was remedied by Tuesday morning.
So what? It remains imperative to patch on-premise Exchange servers and to check for indicators of compromise.
New botnet targeting network security devices
- A new Mirai-based botnet targets network security devices affected by critical vulnerabilities. The botnet currently uses ten publicly available exploits with the number increasing over time.
- After compromising a device, the attacker transfers several scripts allowing for propagation of the botnet and various attacks on the system.
So what? Ensure all network security devices are still supported and have the latest security patches to avoid becoming an easy target for an attacker leveraging publicly available exploits.
Cyber espionage campaign targeting the telecommunications sector
- An ongoing cyber espionage campaign targeting the telecommunications sector has been uncovered. The campaign uses a phishing website designed as Huawei’s career page to target telecommunications professionals.
- McAfee, who discovered the campaign, assess it may be intended to steal intellectual property related to 5G technology. Organisations in the US, Europe and Southeast Asia have been targeted.
SMS: MFA’s weakest link
- Leveraging a flaw in SMS technology, threat actors are able to divert messages to numbers under their control.  This is achieved by abusing legitimate SMS marketing providers’ services.
- The cost to divert SMS messages in this way is as little as USD 16. Threat actors simply have to claim that they own the victim’s mobile number, with little requirement to evidence it.
So what? Don’t rely on SMS messages for MFA tokens. Instead, use a third-party authenticator app.
Vodafone Spain fined EUR 8.5m for GDPR violations
- The Spanish Data Protection Agency (AEPD) fined Vodafone Spain EUR 8.15m over GDPR violations. Since January 2020, Vodafone has been subject to data privacy regulatory action on at least 50 occasions.
- In this case, Vodafone violated several data processing and related consent regulations. The firm had transferred data internationally without sufficient protections and repeatedly contacted customers without their prior consent.
So what? Ensure your organisation maintains complete visibility over how customer and employee data is handled, particularly if you outsource to third party providers.