AT&T Data Breach Affects All Customers of Wireless Communications

On July 13, 2024, AT&T published a SEC filing regarding the several-month investigation of the malicious activity. As it turned out, the hackers managed to get access to company’s databases and keep it for several weeks. From April 14 to April 25, 2024, threat actors extracted quite a substantial amount of information about the customers of the company and related organizations (MVNOs).

List of mobile virtual network operators affected by the breach

In particular, AT&T discloses the leakage of files that contain data about calls and SMS sent between numbers (date, call durations, phone numbers etc). The actuality of the leak, however, is in question: adversaries allegedly got their hands only on older databases, specifically one that have kept records from May to October 2022. It is not clear from the company’s filing whether hackers had access to more files, but exfiltrated only this part, or this was the only piece of data they managed to get to.

But even with this, lesser scale of the breach, the consequences are not ones to ignore. The data from the exact breach contains so-called cell site identification numbers. Those are special codes that identify the cell tower(s) each of the call participants were connected to. With that info, and also data from several other leaks from AT&T, especially ones that coincide in dates with what was leaked, hackers can get detailed information on who, where from and how long was talking.

How did AT&T Hack Happen?

Following the disclosure of the hack, a spokesperson of AT&T disclosed that the hack take place at Snowflake’s cloud DBs. As it turned out earlier, the cloud tech company ignored important account protection measures, which led to a massive number of companies getting consequently hacked. And AT&T appears to be yet another victim. Hackers appear to access databases that the telecom company kept in the Snowflake cloud storages.

The ongoing investigation already figured out that the Snowflake’s flaws are exploited by one specfic group of cybercriminals. In particular, Mandiant names several citizens of North American countries and Turkey as guilty for all these attacks. Still, despite the power of US law enforcements, these actors are not detained yet.

Should I be concerned?

Although the potential of the breach is rather high, the leaked data is useful almost exclusively in targeted attacks. AT&T specifically pointed out that hackers did not leak any sensitive information, like SSN or personal info.

Nonetheless, the company likely has something it does not want to disclose, as they promise to “notify the customers about their data exposed in the breach”. Sure enough, this may touch just the phone calls and SMS that I’ve mentioned above. But it is a bad idea to underestimate what hackers could have leaked – this never went well historically.

The post AT&T Hacked in April, All Wireless Customers Affected appeared first on Gridinsoft Blog.

Backdoor in XZ Compromised Numerous Linux Systems

The story around the backdoor in XZ data compression tool is nothing short of marvelous, from both ends, and may probably be screened in future. A guy under the nickname Jia Tan was making his way to the status of project administrator since 2021. Typically for any tech savvy open-source project user, he started offering his fixes for bugs and new functions. Allegedly by creating a huge number of bug reports, the guy forced the manager to seek for an aide, with Jia being the best candidate at that moment.

This long road was needed to hide a tiny, deeply concealed backdoor (CVE-2024-3094) that is not even available from the public GitHub repository. The catch actually hides within the version that goes to the dependent project, mainly major Linux distributions. Files responsible for the backdoor initiation appear as test ones. This explains why it took so long: to avoid detection, Jia Tan was forced into adding each piece gradually, making it look like a development routine. A proper special operation, one may say.

The resulting flaw allowed for the unauthenticated SSH access to any machine. The only condition here is the infected XZ package and SSH usage. This, in turn, endangers thousands of servers that system administrators quite commonly connect through this protocol. Linux is a backbone of cloud servers, and having such a backdoor access effectively means leaking all the data they store.

More of the special operation things surfaced during the ongoing investigation. Shortly after Jia pushed the malicious fixes, numerous XZ update requests popped up in feedback hubs of different Linux distributions. Investigators suppose that either Jia Tan or his associates posted these comments. Some of the distros adhered to them and pulled the infected version, effectively installing the malware into their product.

How Was It Discovered?

The way the backdoor was discovered, on the other hand, sounds more like a miracle. Andres Freund, the developer, noticed that the SSH authentication takes 500ms longer than usual. Also, the operation started taking more CPU power than it used to, which intrigued Anders to search for a new bug. Searches quickly led him to the updated XZ version, and consequently to the backdoor built into it.

Andres Freund released his notification regarding the malicious changes on March 29, 2024. It is still unclear how long these changes were live, but Linux distributions were using them in release versions since early March. Among them are the following distros and versions:

Mitigations and Fixes

Upon discovering the backdoor code, the project maintainers instantly took down the GitHub repository. Though, further research showed that there was no need for this. As I’ve mentioned, malicious code was hidden in test files, mainly used in dependent projects like distributions. This, however, did not make the task any easier.

Together with the developers and maintainers of affected distros, Andres Freund elaborated both the list of affected versions and possible mitigations. Users should downgrade to the versions that do not contain malicious code, or upgrade to ones where it is already gone. At the same time, the investigation keeps going, as this supply chain attack can have more severe effects.

The post XZ Utils Backdoor Discovered, Threating Linux Servers appeared first on Gridinsoft Blog.

What is cybersecurity risk?

The digital world is such that hackers constantly explore enterprise networks and supply chains in search of the weakest link. In the event of a successful breach, they can remain undetected for a prolonged period. Moreover, they begin to laterally move to search for valuable information or conduct surveillance for further deployment of malicious payloads. Cyber risk is the sum of vulnerabilities and risks associated with your organization’s digital footprint. Cyber risk is the potential for threats, damages, or losses related to using information technology and digital assets. This includes on-premises and cloud systems, applications, data, networks, and remote devices. Cyber risk encompasses risks related to:

• Cyberattacks
• Cybercrimes
• Data security breaches
• Confidential information leaks
• Personal data breaches

So, cyber risk measurment is essential in today’s information society, and its management and protection are becoming increasingly significant for organizations.

Cyber risk assessment

Ranking risks as high, medium, and low can be interpreted differently. Moreover, knowing which risks to focus on first is difficult, especially when multiple risks are ranked as a medium. However, you can inject accuracy and clarity into your assessments by measuring cyber risk exposure in monetary terms. This helps determine which risks to tackle and where to allocate cybersecurity resources for maximum impact.

How to manage cybersecurity risk

If you feel that dealing with such a multitude of cyber vulnerabilities will be a challenging task, the truth is, you are right, but it is possible. Managing exposure to cyber risks is an ongoing process that involves continuous identification, prioritization, reporting, and remediation of security issues. It also reduces the risk of vulnerabilities in third-party supply chain links. Understanding the expanding attack surface will allow you to manage your exposure to cyber threats. The following steps will help prioritize vulnerability management and remediation using a combination of people, processes, and technology:

Tools to automatically scan and inventory the attack surface

Automated scanning tools assess and catalog potential vulnerabilities in your digital infrastructure, detecting weaknesses in your network, systems, applications, and devices. They generate reports highlighting identified weaknesses, saving time and ensuring accurate results. These tools are suitable for organizations of all sizes and facilitate continuous monitoring to detect new vulnerabilities as they arise. However, they should be part of a comprehensive cybersecurity strategy that includes regular patching and security awareness training. Having a lot of digital assets can increase the chances of vulnerabilities. In addition, shadow IT can further complicate security. Attack surface scanning can help identify hidden risks and prioritize remediation.

Formation of a response team

Forming a cyber exposure response team is essential to respond to cyber threats and incidents effectively. It includes defining team objectives, identifying key roles and responsibilities, building a diverse and skilled team, establishing clear communication channels, developing response procedures and protocols, defining escalation and decision-making processes, conducting training and exercises, and regularly reviewing and updating the response plan. As we can see, dealing with cyber threats is a team effort that involves different departments.

Organizations can better detect and respond to cyber threats and exposures with a dedicated team. For example, SOC teams handle the immediate threat, while legal and risk management teams manage data and regulatory issues. Communication and customer success teams work on communicating with stakeholders, and HR managers handle employee questions. Regular drills and incident response processes keep the team prepared.

Continuous monitoring

Continuous monitoring for cyber risk exposure involves regularly assessing and evaluating systems, networks, and digital assets to identify potential threats and vulnerabilities. You can do that through automated monitoring tools, real-time threat intelligence, regular vulnerability assessments, patch and update management. Other useful options are log and event monitoring, user behavior analytics, and training for incident response readiness and security awareness. By proactively monitoring cyber risks, organizations can mitigate potential threats and enhance their overall security posture.

Assess risk from third parties

Remember to assess your third-party vendors for cyber risk thoroughly. Many network intrusions and disruptions come from them. Regular security audits and monitoring with risk assessment tools can help you stay proactive and prevent supply chain attacks. Use technology to quickly identify red flags, track security changes, and detect emerging vulnerabilities. Assessing third-party risk is crucial for effective cyber risk management.

• сonduct thorough due diligence
• establish clear contractual agreements
• develop a formal vendor risk assessment process
• implement continuous monitoring
• collaborate on incident response planning
• implement strong data protection measures
• evaluate business continuity and disaster recovery plans
• ensure compliance with relevant regulations

By doing so, organizations can identify potential vulnerabilities, implement appropriate measures to protect sensitive data and minimize overall cyber risk associated with third-party relationships.

Data Security

To protect valuable information from cyber threats, implement robust encryption for data at rest and in transit, enforce strong access controls with MFA, and regularly back up and test data recovery procedures. Periodically review and update security practices to stay ahead of evolving threats. Data integration strengthens data security by consolidating disparate sources into a single platform. This unified approach reduces the risk of data breaches and unauthorized access, ultimately minimizing cyber exposure. CISOs can enhance their company’s reputation for security by being proactive and using innovative approaches to strengthen security. Integrations provide additional capabilities for rich partner data and insights via secondary data points relating to vulnerabilities and security scores for each asset.

Implementing a data integration strategy enhances security, improves quality, and streamlines workflows. In addition, it ensures compliance and gains insights for B2B companies in a data-driven world.

The post What is Cyber Risk Exposure and How Can You Manage It? appeared first on Gridinsoft Blog.

What is Third Party Data Breach?

Third party data breach occur when cybercriminals compromise the computer systems of your vendors or business partners and access your sensitive information. It is necessary to note that any vendor in your business network can be vulnerable to such attacks, and studies suggest that approximately 60% of all data breaches are caused by third-party vendors.

Experiencing a security breach can have serious financial consequences for your business, irrespective of the cause. An industry report says the average recovery and remediation cost is more than $7 million. This risk is especially significant for credit card companies, email service providers, and those offering cloud services.

Third-party suppliers, partners, and vendors are crucial to businesses but also vulnerable to cybercriminals. A breach can have severe consequences for everyone involved, not just the industry affected.

Examples of data Breaches Caused by Third-Party Vendors

Cyber attacks like phishing and ransomware have increased during the COVID pandemic as many employees work from home using virtual private network (VPN) connections with varying levels of security. These attacks can result in data breaches, a common occurrence in cybercrime.

To have a better understanding of what types of data can leak, let’s appeal to the examples of third party data breach. Here are some:

• One of the world’s largest electronics companies, General Electric (GE), recently announced that the sensitive information of current and former employees may have been exposed in a data breach at Canon, a third-party company.
• T-Mobile lost control over the personal information of approximately 1 million customers after experiencing a hack on their email provider.
• Health Share of Oregon, an organization that manages healthcare services for Medicaid clients in Oregon, experienced a security breach when an unencrypted laptop was stolen. This resulted in the exposure of personal information belonging to more than 650,000 clients.
• Improperly secured websites and login information storage can lead to security breaches. Recently, a bug on a website called Social Captain allowed unauthorized access to thousands of Instagram usernames and passwords.

These few examples I found are already enough to understand which data categories are endangered. Pretty much everything you share with your contractors – trade secrets, payment information, amounts of supplies and dates of delivery, info about other contractors – all these things may become a subject of the leak. The exact type of information exposed generally depends on the way the third party data breach happened.

Various ways data breaches by third-parties

Organizations must assess and manage the risks associated with third-party relationships and implement appropriate security measures to effectively prevent and respond to these types of breaches:

Supply Chain Attacks

In this attack, hackers exploit a trusted third-party vendor or supplier to gain unauthorized access to an organization’s systems or data. They use weaknesses in the third-party’s infrastructure or software to infiltrate the organization’s network and steal sensitive information.

Cloud Service Provider Breaches

Many organizations trust cloud service providers to store and manage their data. However, if a data breach happens, it could put the data of multiple clients at risk. This kind of breach can happen because of provider infrastructure weaknesses, poorly set up access controls or insider threats.

Outsourcing Partner Breaches

Outsourcing involves hiring a third-party service provider to perform tasks that the company’s employees traditionally did. These tasks can range from back-office support to manufacturing. However, companies need to be careful when outsourcing certain functions or services to external partners because that is a chance of a data breach if the partner’s security measures are inadequate. This can happen if the partner mishandles data, experiences a cyberattack, or has internal security weaknesses.

Payment Processor Breaches

When you purchase with a credit card, a payment processor helps facilitate the transaction between the seller and the bank. They ensure that the seller receives their payment and that everything is processed securely. However, if a payment processor’s security is compromised, it could result in the theft of crucial financial information like personal details or credit card numbers.

Insider Threats

An insider threat occurs when individuals who have permission to access an organization’s network, applications, or databases take harmful actions. These individuals can include former or current employees and third-party entities like partners, contractors, or temporary workers. They may also have gained access through compromised service accounts. In some cases, insiders within third-party organizations may intentionally access or disclose sensitive data without authorization, either for personal gain, malicious intent, or due to coercion.

Preventing Third Party Data Breach

It can be challenging for businesses to hold third-party vendors responsible, mainly if there is no established third-party security policy or program. Ideally, all third-party vendors should adhere to the same strict standards and data security measures that your company has internally.

1. Audit Third-Party Vendors for Compliance

Before bringing on any third-party vendors, discussing risk management requirements with them upfront is important. Some vendors may be close to being audited by partners, so it’s crucial to ensure they are willing to answer questionnaires as part of your due diligence process. If a vendor resists this, they may resist an audit.

Maintaining up-to-date data protection measures is key to building a solid relationship with third-party vendors. Conducting an audit is the best solution to ensure your vendor is following security compliance frameworks and has performed well in previous audits. During the audit, look for any indicators of compromise and assess how well the vendor manages cybersecurity risks.

2. Require Proof of the Third-Party Vendor’s Cybersecurity Program

It’s not enough for the vendor to have an information security program when preventing third-party breaches. They must also demonstrate a commitment to risk management and allocate resources to their vulnerability management program. To ensure this, ask for the vendor’s most recent internal risk assessments, penetration testing results, and compliance frameworks. The vendor must have a strong risk management program, a strategy for mitigating supply chain risks, and a plan for addressing potential data breaches.

3. Adopt a Least-Privileged Model for Data Access

It’s common for third-party data breaches to happen when the provider is given more access than they need to do their job. To improve your network security, enforcing strict access standards for third-party service providers is important. This means giving them the lowest level of access necessary. It’s also crucial to be cautious with sensitive data like Social Security numbers and personal information. By following these least-privileged access standards, you can effectively manage vendor risk and minimize any potential damage from a breach.

4. Adopt the Zero-Trust Network and Data Model

It’s crucial to map, authenticate, and encrypt your network flows to enhance your security ratings. Even if cybercriminals infiltrate a part of your computer system, implementing a zero-trust model prevents them from moving laterally. You can’t trust any entity inside or outside your established network perimeter. To strengthen this framework, it’s essential to enforce multi-factor authentication or biometric identification for all users as part of your cybersecurity protocol.

The post Third Party Data Breach: Definition and How to Prevent It appeared first on Gridinsoft Blog.

What is the 3CX Phone System?

3CX Phone System is a software phone communication program developed by an eponymous company. It provides VoIP communication with a connection to PSTN. All of the operations are served in the cloud, which makes it convenient for use even in small companies. As of the beginning of 2023, the company boasted 12+ million customers in over 600,000 companies around the world. The company provides services to the world’s most-known names, such as Toyota, BMW, Avira, McDonald’s, Boss, Hilton, and IKEA.

Being a company with such success and so notable clients is always a serious responsibility, both image- and cash-worthy. That requires corresponding attention to all the elements of your infrastructure and personnel – to avoid any risks related to security breaches. Supply chain management must be even more diligent in security questions, as consequently linked single-purpose elements are often prone to break. And that is what happened to 3CX.

What is the 3CX supply chain attack about?

Supply chain attacks suppose hacker integration at a certain stage of the supply chain. The researchers who examined the case yet did not find a certain place where the breach could have happened. From what is known now, it is clear that hackers managed to forge the installer and force it doing what they want. That clue points to the fact that crooks made their way to the installer’s source code, as it has no problems with certificates and signatures. The attack itself resembles the SolarWinds hack that happened back in 2020.

After launching the installer, an unsuspecting user will see the routine installation procedure. However, in the background, the binary file will connect to a GitHub repository to get an ICO file. That is actually a second-stage payload, which contains data encoded with base64. Short research shows that this data is a set of shell codes, which execution calls for the next step. They force the system to connect to the C2 and pull the third-stage payload.

Third stage – the final one – is a DLL file, a classic form of the vast majority of modern malware. After retrieving the library, one of the shellcodes makes it run. It seems to be an infostealer that grabs web browser data from an infected system, particularly browsing history. Malware aims for a pretty short list of browsers – Chrome, Edge, Firefox and Brave. Such behaviour is different from common spyware and stealers, thus the malware is most likely a brand new one, possibly created specifically for this attack. Threat researchers from SentinelOne, who were the first to detect dubious activity, coined it SmoothOperator.

Is the 3CX attack dangerous?

As any other spyware attack, it is. Despite the less-than-usual amount of data collected by the detected stealer, the potential scale of this attack is tremendous. We already mentioned the number of 3CX users worldwide – and imagine how many potential victims may be among them. Yes, not all users have installed the infested update, and some of them were saved by anti-malware software. But it is possible that they are in the minority.

The NHS has issued a cyber alert with a "High" severity ranking warning about this active intrusion campaign, warning "legitimate versions of 3CX DesktopApp have been compromised and are being actively exploited."

Alert here: https://t.co/J3NTs6rMD5 https://t.co/M7yBauSlcy

— Alexander Martin (@AlexMartin) March 30, 2023

Given that ignoring the updates is not a very good practice, the only way to protect against such a breach is by using a superb security tool. Its superiority should be defined not only by detection capabilities and amount of functions but also by the zero-trust policy. Regular anti-malware programs generally rely on the trustiness of a program, and will likely ignore malignant activity around a signed installation binary. Zero-trust one, on the other hand, treats any file as potentially hazardous and applies all kinds of checkups to ensure that it is secure.

The post 3CX Phone System is Struck With Chain Supply Attack appeared first on Gridinsoft Blog.