At a glance.
- The inherent risk telcos face.
- A buggy iPhone app permits eavesdropping on calls.
- Ransomware surges as criminals exploit vulnerable Microsoft Exchange Server instances.
- More on the Verkada breach, including a police raid.
Telcos make easy targets for attackers.
Forbes takes a look at the mounting cybersecurity dangers faced by telecommunications companies globally. Telcos are attractive targets to attackers because of the large number of clients they serve, and their data-driven business model requires large-scale data processing, making them perfect for credential stuffing attacks. Furthermore, the very nature of the services offered to customers by telcos makes the data inherently vulnerable, even with the most secure, properly configured networks. As Compliance Week reports, since the EU’s General Data Protection Regulation was established in 2018, telecoms have been the most fined industry as a result of security incidents, with more than four times the number of fines experienced by big tech. The two biggest fines so far were imposed against Greek telecoms, and in Spain, Vodafone has been hit with nearly forty fines. While some telcos misuse data for telemarketing purposes, Camilla Winlo, director of consultancy at data privacy firm DQM GRC, explains “it is more likely they are failing to comply through ineffective controls and procedures rather than a willful disregard of the rules.” Going forward, telcos can protect themselves by watching for malicious automated traffic, using artificial intelligence to detect whether requests are coming from bots, and finding ways to update their defenses without hurting legitimate customers.
iPhone app allows attackers to spy on calls.
Cybersecurity researcher Anand Prakash discovered a (now fixed) vulnerability in an iPhone app that could allow threat actors to listen in on phone calls, Naked Security reports. To make matters worse, the app was seemingly well-reviewed, with thousands of five-star reviews that were clearly fake and often referenced a different app entirely. The app, Acr Call Recorder, had an Insecure Direct Object Reference bug, or IDOR, making it possible for anyone able and willing to watch how the app operates to easily determine how to send data requests to a recipient of their choice. Due to poor programming, all an attacker needed to do was swap out the UserID in a call-home request, and there would be no way for the server to determine whether the user had any right to request the data. In other words, with the right knowledge, anyone could access anyone else’s call data at any time.
Microsoft Exchange vulnerabilities lead to massive surge in attack attempts.
The Hacker News reports that the US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a joint advisory regarding exploitation of critical remote code vulnerabilities in Microsoft Exchange, the leading mail server in the world. As the advisory states, "CISA and FBI assess that adversaries could exploit these vulnerabilities to compromise networks, steal information, encrypt data for ransom, or even execute a destructive attack." As researchers feverishly work to secure networks, hackers are making attempts to exploit the flaws at an alarming rate. Check Point Research explains that in a 24-hour span, the number of exploitation attempts on the organizations it serves doubled every two to three hours. Turkey is the most targeted country, followed closely by the US, and the attack methods resemble the previous activities of threat actors linked to China. The European Banking Authority and the Norwegian Parliament are among the tens of thousands of organizations that have been breached to install the “China Chopper,” a web-based backdoor that allows the attackers to infiltrate users’ emails and even remotely access and take over the server. Though Microsoft released an emergency patch on March 3, journalist Brian Krebs explains "different cybercriminal groups somehow learned of Microsoft's plans to ship fixes for the Exchange flaws a week earlier than they'd hoped," leading to the increased probing activity. Making matters worse, researcher Marcus Hutchins found that a functional proof-of-concept for the full exploit chain has been published. Barracuda security firm confirms that their researchers detected a marked increase in probing starting at the beginning of this month, and in response they have developed mitigation strategies to block scanning and exploitation attempts.
More on the Verkada breach.
As a former Verkada employee tells Bloomberg that a large number of company personnel had access to video feeds, Swiss police raided the Lucerne apartment of Tillie Kottmann, who had earlier claimed credit for the hack on behalf of the Arson Cats. Bloomberg reports that the raid was conducted in conjunction with an earlier US criminal case.
Vice has a quote from Kottman to the effect that "My apartment was raided by local police this morning 7am my time and all my electronic devices have been confiscated on request of the US Department of Justice," but Kottmann hasn't responded to Vice's other questions. The publication had previously received Kottmann's coup list, which included "K-12 schools, seemingly private residences marked as 'condos,' shopping malls, credit unions, multiple universities across America and Canada, pharmaceutical companies, marketing agencies, pubs and bars, breweries, a Salvation Army center, churches, the Professional Golfers Association, museums, a newspaper's office, airports, and more." The motive, recall, was hacktivist, a nominal desire to strike a blow against surveillance while having fun. It's always fun until the police show up.
Rolf Lindemann, VP of Product at Nok Nok Labs and Co-Chair of the UAF Technical Working Group for the FIDO Alliance, wrote to express his view that the incident is more evidence that authentication based on the familiar username-password combination is headed for obsolescence:
"The Verkada hack is far from surprising because the use of username/password-based authentication has been on the fast track to obsoletion for quite some time. These methods are not secure, scalable nor convenient – neither for accessing corporate resources nor for accessing IoT devices. Yet, despite constant exploitation, they continue to prevail. The time for change was yesterday, and Verkada only magnified the severity of the situation. While many are focusing on the access that was gained to networks, most importantly, we must acknowledge that this subsequently allowed access to frightening personal information and situations given that surveillance cameras were involved. It is not a new observation that Secure Perimeters are dead. But the rate at which they need to be improved is. To make Zero Trust a reality for employees, customers and IoT devices, convenient and strong authentication is key."