Cyber Security Headlines – August 19, 2021

T-Mobile says hackers stole records belonging to 48.6 million individuals

Following up on a story we brought to you earlier this week, T-Mobile has confirmed its sixth major data breach in the last four years. According to T-Mobile, attackers breached its servers and stole files containing the personal information of roughly 7.8 million T-Mobile postpaid customers, 850,000 T-Mobile prepaid users, and 40 million former or prospective customers. T-Mobile indicated that stolen data included customer names, date of birth, SSN, and driver’s license info. T-Mobile has already reset all the PINs for affected accounts and is offering two years of free identity protection with McAfee’s ID Theft Protection Service.

(Bleeping Computer)

OIG issues report on US Census Bureau breach

The US Office of Inspector General (OIG) has released a report on the breach of US Census Bureau servers back in January 11, after hackers exploited an unpatched Citrix ADC zero-day vulnerability. The OIG noted that the compromised servers allowed remote access to production, development, and lab networks, but not to 2020 decennial census data. While the attackers were able to set up rogue admin accounts, they were unable to deploy backdoors to maintain access and ultimately achieve their goals. According to the OIG report, the Bureau failed to discover and report the attack in a timely manner and they also failed to maintain sufficient system logs, hindering the investigation of the incident.

(Bleeping Computer)

Operator of the Helix bitcoin mixer pleads guilty to money laundering

38-year-old Larry Dean Harmon of Ohio, who was fined $60 million last year for violating anti-money laundering laws, pleaded guilty Wednesday to moving hundreds of millions of dollars in cryptocurrency on behalf of dark web marketplaces including AlphaBay, Cloud 9, and Evolution. Harmon admitted to running a cryptocurrency tumbler called Helix between 2014 and 2017 which, according to prosecutors, moved over 350,000 bitcoins, worth more than $300 million at the time. Harmon agreed to forfeit more than 4,400 bitcoins (now worth $200 million) and other seized property as part of his plea agreement and he faces up to 20 years in prison.

(The Record)

US hospitals divert care after cyber-attack

A ransomware attack on Memorial Health System this past Sunday forced hospitals in West Virginia and Ohio to divert patients to other care providers and work from paper records. The assault disrupted IT systems at nearly all the health system’s 64 clinics and three hospitals. By midnight on Sunday, the hospitals were turning away patients, except for heart-attack, stroke and trauma patients, and cancelling non-urgent operations.  On Wednesday, Memorial Health System president and CEO Scott Cantley, indicated that Memorial Health was working with national cybersecurity experts to bring systems back online securely. Early indications are that the attack did not involve a data leak and it is not yet clear whether Memorial Health paid out a ransom.

(Infosecurity Magazine)

Thanks to our episode sponsor, Copado

DevOps is the biggest revolution since the cloud. And Copado happens to be the #1 native DevOps solution for Salesforce and SaaS. So say goodbye to tedious deployments, disconnected teams and security risks. Copado provides visibility over your entire lifecycle and empowers your developers to release software 5 times faster.
Want to experience the Copado effect? Get a demo at Copado.com

Apple reopens legal battle against Corellium

Following up on a story Cyber Security Headlines brought to you last Thursday, Apple has filed an appeal related to the ongoing lawsuit against the security firm Corelluim just days after settling. Apple is appealing a December ruling that dismissed an argument claiming Corellium had infringed Apple’s copyright by offering researchers a simulated iOS environment to hunt for bugs. Just one day before the appeal, Corellium announced a plan to provide $5,000 grants to security researchers to probe the security and privacy of iOS applications including Apple’s new controversial child sexual assault material scanning. Blake Reid, who is a professor at University of Colorado’s law school, said, “This is not a sign of goodwill towards the security research community. I cannot imagine it is going to help them rebuild any credibility.”

(CyberScoop)

Fortinet delays patching zero-day allowing remote server takeover

Fortinet has delayed patching a zero-day command injection vulnerability found in the FortiWeb web application firewall (WAF) until the end of August. The vuln could allow attackers to execute arbitrary commands as the root user on the underlying system via the SAML server configuration page. Though attackers must be authenticated to Fortiweb’s management interface to exploit the bug, it can be easily chained together with other known vulnerabilities to take full control of vulnerable servers. The issue was discovered by Rapid7 who claims they publicly published the vulnerability after not receiving any response from Fortinet since their private disclosure 68 days earlier.  Admins are advised to block access to FortiWeb’s management interface from untrusted networks until a patch is made available.

(Bleeping Computer)

GitHub urges users to enable 2FA after going passwordless

GitHub urges users to adopt two-factor authentication (2FA) after deprecating password-based authentication for Git operations last Friday. The company’s Chief Security Officer Mike Hanley recommends using physical security keys, virtual security keys built into devices like phones and laptops, or Time-based One-Time Password (TOTP) authenticator apps. While SMS-based 2FA is also available, it should be avoided if possible given that threat actors can more easily bypass or steal SMS 2FA tokens. Hanley added, “The benefits of multifactor authentication are widely documented and protect against a wide range of attacks, such as phishing.”

(Bleeping Computer)

New Windows 10 build introduces improved security features

On Wednesday, Microsoft released Windows 10 21H2 19044.1200 which includes a new Windows Hello security feature as well as support for WPA3 HPE. Windows Hello for Business introduces a new deployment method called cloud trust to support simplified passwordless deployments and achieve a deploy-to-run state within just a few minutes. The WPA3 H2E (Hash-to-Element) protocol adds better protection from a Wi-Fi side-channel attack called “DragonBlood” that could steal a WPA3 password. According to Cisco, “H2E is significantly more computationally efficient and provides robust resistance to side channel attack.”

(Bleeping Computer)

Sean Kelly
Sean Kelly is a cyber risk professional and leader who thrives on learning, collaborating and helping the business securely advance its mission. Sean is also a musician and outdoor enthusiast who loves spending time with his family and two cats.