The S-RM Cyber Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our intelligence specialists.
- T-Mobile breach. The telecommunications company confirm data breach exposing personal data.
- Accenture ransomware attack. Lockbit 2.0 reportedly demand a USD 50 million ransom.
- Terrorist watchlist exposed. Unprotected Elasticsearch cluster exposes US watchlist.
- Crypto heist update. An update on the USD 600 million cryptocurrency heist covered in last week’s Cyber Intelligence Briefing.
- I spy. Millions of IoT devices vulnerable to eavesdropping and remote control.
- News in the pipeline from Colonial. 5,810 individuals had personal data exfiltrated in May’s ransomware attack.
106GB of data stolen from T-Mobile
T-Mobile confirmed that it suffered a data breach in which threat actors stole personal information relating to over 48 million people, including current, former, and prospective customers. Some of the stolen data variously included customers’ names, dates of birth, social security numbers (SSN), and driver’s licences or ID information. The threat actor initially claimed the stolen data related to over 100 million people.
The threat actor reportedly claimed that they conducted the attack in retaliation against the US’ treatment of John Erin Binns, a US citizen who sued the FBI, CIA, and US Department of Justice last year for allegedly kidnapping and torturing him in Germany in 2019.
SO WHAT? This is T-Mobile’s fifth publicly disclosed breach since 2018. Telecommunication businesses are, and will continue to be, attractive targets for threat actors due to the valuable data that they hold and the far-reaching impact an attack can have.
Accenture suffers ransomware attack
Global IT consultancy Accenture suffered a ransomware attack from the Lockbit 2.0 threat group, who claim to have stolen 6TB of data. Reports indicate that a USD 50 million ransom has been demanded. Accenture reportedly noticed a security breach on 30 July and was able to contain the incident by isolating affected systems before restoring encrypted servers from backups.
There is speculation that the attack may have been facilitated by an insider at Accenture. Although not confirmed, Lockbit 2.0 has been actively recruiting employees who can give them access to corporate networks.
Accenture only acknowledged the incident on 11 August after Lockbit 2.0 posted about the attack on its leak site. The consultancy has received some criticism for its lack of transparency relating to the incident.
SO WHAT? A well-planned public relations strategy can play a significant role in mitigating any reputational damage a victim organisation may suffer following a cyber incident. PR strategists with experience responding to cyber attacks should be key stakeholders of a response team.
Public Elasticsearch cluster exposes terrorist watchlist data
On 16 August, a security researcher reported that, in July, he had identified a publicly accessible database, the details of which indicated it may be a US Terrorist Screening Center watchlist. The database, containing 1.9 million records, was accessible via a public Elasticsearch cluster that required no authentication to view.
The researcher reported the finding to the US Department of Homeland Security, but the exposed server remained accessible for three more weeks. The list included highly sensitive information including individuals’ names, passport details, and no-fly statuses.
SO WHAT? Elasticsearch database configuration should be carefully reviewed during setup to ensure it is not publicly accessible. Authentication and other access controls should also be used to protect such databases, especially when they contain sensitive information.
Poly Network cryptocurrency heist update
The hacker has returned most of the funds but is still holding onto more than USD 200 million worth of cryptocurrency. Poly Network claim to have no intention of holding the hacker legally responsible.
SO WHAT? Consider how a bug bounty programme and/or pen testing exercise could help to uncover vulnerabilities. A formal bug bounty programme can allow you to work with trusted security researchers to improve your overall security.
83 million IoT devices at risk of exploitation
Researchers have discovered a critical vulnerability affecting 83 million internet-of-things (IoT) devices. If exploited, attackers could take remote control of the device, resulting in the ability to eavesdrop on live video and audio streams or conduct further attacks.
The vulnerability impacts devices connected via ThroughTek’s Kalay IoT cloud platform, specifically smart baby monitors and security webcams. Companies and specific products affected are unknown.
News in the pipeline from Colonial
Colonial Pipeline announced that it had “recently learned” DarkSide operators also exfiltrated data. In addition to May’s ransomware attack, the group was able to steal documents containing details of individuals’ SSNs, military ID, tax particulars and driver’s licence numbers.
Colonial Pipeline issued a data breach notification letter on 13 August. The company also offered free identity restoration and credit monitoring services for two years to affected individuals.
SO WHAT? Regulations in both the UK and US require personal information breaches to be reported. The UK’s Information Commissioner and each US State have assessment criteria and reporting processes that organisations should be familiar with.