Cyber Security Headlines: Android lockscreen bypass, Lockbit hits Thales, FTX funds disappear

Android phone owner accidentally finds a way to bypass lock screen

Cybersecurity researcher David Schütz accidentally found a way to bypass the lock screen on his fully patched Google Pixel 6 and Pixel 5 smartphones, enabling anyone with physical access to the device to unlock it. Schütz says he discovered the flaw by accident after his Pixel 6 ran out of battery, wherein he entered his PIN incorrectly three times, and recovered the locked SIM card using the PUK (Personal Unblocking Key) code. To his surprise, after unlocking the SIM and selecting a new PIN, the device didn’t ask for the lock screen password but only requested a fingerprint scan. Google has fixed the security issue on the latest Android update released last week, but it has remained available for exploitation for at least six months.

(Bleeping Computer)

Thales hit by Lockbit 3.0 again

Thales is a global high-tech leader headquartered in Paris with more than 81,000 employees worldwide. Earlier this month, it confirmed that it had been hit for a second time by the ransomware group LockBit. The gang threatened to publish stolen data by November 7 if the ransom was not paid by its deadline. The deadline passed, and the ransomware gang maintained its promise and carried out its threats. On Friday, the group started publishing confidential data stolen from the company, however Thales has downplayed the incident and explained that the security breach will have no impact on its activities.

(Security Affairs)

At least $1 billion of client funds missing at FTX

The cryptocurrency exchange’s founder Sam Bankman-Fried secretly transferred $10 billion of customer funds from FTX to his own trading company Alameda Research, according to sources speaking to Reuters. A large portion of that total has since disappeared, say the sources, who put the missing amount at between $1 billion and $2 billion. While it is known that FTX moved customer funds to Alameda, the missing funds are being reported by Reuters for the first time. In text messages, Bankman-Fried said he “disagreed with the characterization” of the $10 billion transfer. He continued, “we didn’t secretly transfer, we had confusing internal labeling and misread it,”, without elaborating. Asked about the missing funds, Bankman-Fried responded: “???”

(Reuters)

Australian Federal Police say cybercriminals in Russia behind Medibank hack

The Australian Federal Police (AFP) say they have identified the perpetrators of the hack and attempted extortion of health insurance company Medibank, which stated last week that it would not be making a ransom payment after hackers gained access to the highly sensitive data of 9.7 million current and former customers, including 1.8 million international customers living abroad. Although the AFP did not identify the perpetrators by name, they appear confident that they know who they are pursuing and that they are based in Russia. Medibank has now been listed on the extortion site formerly operated by REvil. Listeners who are interested in pursuing this story may be interested in a podcast episode released by The Guardian in their Full Story series, which is out right now and which describes the hack and its developments in greater detail.

(The Record and The Guardian)

Thanks to this week’s episode sponsor, AppOmni

Can you name all the third party apps connected to your major SaaS platforms like SalesForce and Microsoft? What about the data these apps can access? After all, one compromised third party app could put your entire SaaS ecosystem at risk. 

With AppOmni, you get visibility to all third party apps, including which end users have enabled them, and the level of data access they’ve been granted. Visit AppOmni.com to request a free risk assessment.

Avoid using blue mailboxes during the holidays, USPS warns

According to USPS officials, “groups of criminals across the country are using the internet and social media to coordinate strategic targeting of post office collection boxes.” If you do opt to use the blue collection boxes, be sure to do so before the last collection of the day, so your mail isn’t sitting in there overnight. The collection time should be listed on the front of the box. This is especially true on Saturday, as the mail would be in there overnight, plus all of Sunday. This may sound tame, but postal mail is still a direct source of data to be used for identity theft, and volumes typically increase prior to the Holiday Season.

(LifeHacker and Advance Local)

Elon Musk culls Twitter contractors after mass employee layoffs

After laying off half its staff earlier this month, Twitter on Saturday started culling its vast ranks of contract staff, sources confirmed to Axios. The unspecified number of contractors worked in various fields, including content moderation. These contractors may be unable to collect their final paychecks since their teams no longer have any full-time Twitter employees to sign off on their time cards. Some only found out by seeing that their access to Twitter’s computer systems had been shut off.

(Axios)

CISA chief ‘encouraged’ by lack of attacks on midterms

Jen Easterly told The Record and CNN that she was encouraged by the lack of activity from cyber adversaries. She said that no state asked for incident response help on Election Day and there were no ransomware incidents. She also noted that, unlike in previous elections, CISA was able to use its Joint Cyber Defense Collaborative — the organization’s public-private coordination hub — to “respond to things that were happening that were, again, low level and not impactful.” She added though that the threat environment for the 2024 presidential election promised to be more complicated.

(The Record)

Last week in ransomware

The big news last week was the arrest of a Russian LockBit member in Canada, who is said to be responsible for making ransom demands between €5 to €70 million. Over the past few weeks, a threat actor has been trolling victims by distributing the Azov ransomware and blaming its creation on cybersecurity researchers and journalists. This ransomware was later confirmed to be a data wiper that overwrites alternating ‘666’ bytes of data with garbage, making it impossible to recover data. Other reports have linked the Black Basta ransomware to FIN7 (Carbanak), warned that Venus ransomware is targeting healthcare, linked the Russian Sandworm hackers with Ukrainian ransomware attacks, and detailed how a threat actor is distributing LockBit through the Amdey botnet. Finally, in addition to Medibank, we saw stories about LockBit hitting the Continental automotive giant, and Black Basta behind disruptions at Canadian food retail giant Sobeys, and UK Grand Prix organization Silverstone appearing on a ransomware leak list.

(Bleeping Computer and CISOSeries)