The CyberWire Daily Podcast 7.12.24
Ep 2106 | 7.12.24

AT&T's not so LOL hack.

Transcript

AT&T wireless announces a massive data breach. NATO will build a cyber defense center in Belgium. The White House outlines cybersecurity budget priorities.A popular phone spyware app suffers a major data breach.Some Linksys routers are sending user credentials in the clear. Sysdig describes Crystalray malware. A massive phishing campaign is exploiting Microsoft SharePoint servers. Germany strips Huawei and ZTE from 5G infrastructure. Our guest is Brigid Johnson, Director of AWS Identity, on the importance of identity management. The EU tells X-Twitter to clean up its act or pay the price.

Today is Friday July 12th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

AT&T wireless announces a massive data breach. 

Attackers have stolen logs of call and text interactions from nearly every AT&T wireless customer, the company announced. The data, which covers a six-month period in 2022, was taken from AT&T's account on the data warehousing platform Snowflake. AT&T plans to notify around 110 million individuals affected by the breach.

The stolen data includes call and text records, phone numbers involved, the count of interactions per day and month, and total talk time. It also includes cell site ID numbers, which could help pinpoint users' approximate locations. However, it does not contain sensitive information like subscriber names, dates of birth, Social Security numbers, or call timestamps. Despite this, AT&T warns that publicly available tools could link phone numbers to specific names.

The breach, believed to have occurred between April 14 and April 25 of this year, was first discovered on April 19. AT&T immediately launched an investigation with external cybersecurity experts and notified the U.S. Securities and Exchange Commission (SEC) via an 8-K filing. The SEC mandates reporting material cybersecurity incidents within four days, except under certain circumstances. The U.S. Department of Justice allowed a delay in public disclosure during its investigation.

AT&T has been cooperating with law enforcement and reports that at least one person has been apprehended. AT&T clarified that this incident is unrelated to a separate data leak involving 70 million customers advertised by the ShinyHunters group in 2021.

In other Snowflake related news, Advance Auto Parts disclosed a significant data breach affecting over two million job applicants and current and former employees. The breach, occurring from April 14, 2024, to May 24, 2024, compromised their Snowflake environment. Exposed data includes full names, Social Security numbers, driver's licenses, and government IDs. Advance Auto Parts is offering 12 months of free identity theft protection and credit monitoring through Experian. The incident was briefly acknowledged in a June Form 8-K SEC filing.

NATO will build a cyber defense center in Belgium. 

NATO members have agreed to establish the NATO Integrated Cyber Defence Centre (NICC) at the Supreme Headquarters Allied Powers Europe (SHAPE) in Belgium. Announced during NATO's 75th-anniversary summit in Washington DC, the NICC aims to enhance resilience and respond to digital threats.

The center will house civilian and military experts from member states and utilize advanced technology to improve situational awareness and collective cyber defense. Its primary role is to inform military commanders about offensive cyber threats and vulnerabilities, including those affecting civilian critical infrastructure.

NATO has been bolstering its cyber capabilities, conducting defense exercises and developing rapid response strategies. The NICC and similar initiatives respond to rising threats from countries like Russia and China, emphasizing the alliance's commitment to cybersecurity.

The White House outlines cybersecurity budget priorities.

The Executive Office of the President issued a memorandum outlining cybersecurity priorities for the FY 2026 budget. The OMB and ONCD will review agency responses, identify gaps, and provide feedback to ensure submissions align with the National Cybersecurity Strategy (NCS). Key priorities include defending critical infrastructure, disrupting threat actors, shaping market forces, investing in resilience, and forging international partnerships. Agencies must also enhance cybersecurity transparency, modernize IT systems, and adopt zero trust architectures. Budget submissions should support cybersecurity supply chain risk management and foster public-private sector collaboration. Agencies must update zero trust plans within 120 days and ensure resources for critical infrastructure protection and workforce development. Additionally, agencies are encouraged to support the secure use of open source software and prepare for quantum-resistant cryptography.

A popular phone spyware app suffers a major data breach.

mSpy, a popular phone spyware app, has suffered a major data breach, exposing the sensitive information of millions of customers. Brainstack, mSpy’s parent company, has not publicly acknowledged the breach. Disclosed by hacker Maia Arson Crimew, the breach involved over 100 gigabytes of Zendesk records, including millions of customer service tickets, email addresses, and email contents. The breach affects customers globally, including significant clusters in Europe, India, Japan, South America, the UK, and the US. Troy Hunt of Have I Been Pwned added 2.4 million unique email addresses from the breach to his site’s catalog. The breach underscores the risks of spyware, which can be misused for unauthorized surveillance. 

Some Linksys routers are sending user credentials in the clear. 

Users of Linksys Velop Pro 6E and 7 mesh routers should change their passwords and Wi-Fi network names through an external web browser. These models transmit sensitive data, including SSIDs and passwords, unencrypted to an Amazon server during initial setup, potentially exposing users to Man-in-the-Middle attacks, according to Belgian consumer organization Testaankoop. New patches have been released, but Linksys has not publicly addressed whether the latest firmware fixes the issue.

Sysdig reports on Crystalray malware. 

CRYSTALRAY, a threat actor known for using SSH-based malware, has expanded its operations to over 1,500 victims, utilizing multiple open-source software (OSS) tools, according to a Sysdig study. After initial access, CRYSTALRAY installs backdoors and spreads across networks using SSH-Snake to gather credentials for sale.

Sysdig reports that CRYSTALRAY's activities now include mass scanning, exploiting vulnerabilities, and deploying cryptominers for profit. They leverage OSS tools like zmap, asn, httpx, nuclei, and platypus, modifying existing vulnerability proof of concepts (PoCs) for their payloads.

The group targets cloud service providers to steal credentials, which are sold on black markets. To defend against such attacks, Sysdig emphasizes proper vulnerability, identity, and secrets management, alongside effective detection and prevention tools. Indicators of compromise (IoCs) are provided for reference.

A massive phishing campaign is exploiting Microsoft SharePoint servers. 

A massive phishing campaign is exploiting Microsoft SharePoint servers to host malicious PDFs with phishing links. The attack, observed by malware hunting service ANY.RUN, has surged, with over 500 detections in the last 24 hours. This campaign uses trusted SharePoint services, making it hard to detect malicious intent. The phishing flow involves an email link directing to a SharePoint PDF, a CAPTCHA prompt, and a fake Microsoft login page. Users should verify email sources, check URLs, and enable multi-factor authentication. Indicators of phishing include unexpected SharePoint notifications, mismatched file types, urgent requests, and suspicious login pages.

Germany strips Huawei and ZTE from 5G infrastructure. 

The German government has agreed with major telecom companies to phase out critical Huawei and ZTE components from their 5G infrastructure over the next five years. Interior Minister Nancy Faeser announced that Deutsche Telekom, Vodafone, and Telefonica would discontinue using Chinese-made components in core 5G network parts by the end of 2026 and from antennas, transmission lines, and towers by the end of 2029. This decision aims to protect Germany's economy and communication systems from potential cybersecurity risks. Despite no specific evidence against Huawei, the move aligns Germany with other European countries and the US, which have already restricted Huawei and ZTE equipment. 

 

Coming up, we’ve got Brandon Karpf's conversation with Brigid Johnson at the AWS re:Inforce 2024 conference. They discussed the importance of identity and where we need to go. 

We’ll be right back

Welcome back. You can find a link to Brigid’s talk from re:Inforce in the show notes.

The EU tells X-Twitter to clean up its act or pay the price. 

And finally, The European Commission has formally told Elon Musk's social media platform X (formerly Twitter) that it believes the company is breaching the EU’s tech regulations. This revelation follows a December investigation and could lead to fines up to 6% of X's global annual turnover. The Commission's preliminary findings accuse X of breaking Digital Services Act (DSA) rules on dark patterns, advertising transparency, and data access for researchers.

X's sale of the "blue checkmark" for verification has been deemed deceptive, with malicious actors using it to fool users. The platform's non-compliance with EU transparency laws for ads also ruffled feathers, as its ad repository apparently rivals a labyrinth in complexity.

Moreover, X's data access policies for researchers were likened to a Herculean challenge, with exorbitant fees and restricted API access making it nearly impossible for researchers to do their job.

Thierry Breton, the Commissioner for the Internal Market, hinted at significant fines and mandatory changes if these findings hold. While TikTok and Meta are also under the EU's magnifying glass, X has the option to appeal and suggest remedies.

Interestingly, since going private, X no longer discloses its revenues, though Musk admitted to declining earnings last year.

When it comes to compliance, Mr. Musk’s X seems to be lost in cyberspace.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

And that’s the CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.