T-Mobile discloses data breach
The carrier began notifying customers on December 29th that a “security incident” exposed account information, later announcing that it’s security teams recently discovered “malicious, unauthorized access” to its systems. Customers’ proprietary network information was exposed as a result, including phone numbers, call records, and the number of lines on an account. T-Mobile said that account holders’ names, physical addresses, email addresses, financial data, credit card information, social security numbers, tax IDs, passwords, or PINs were not exposed. However phone numbers could be used to initiate phishing schemes seemingly coming from T-Mobile.
CISA updates SolarWinds guidance
As part of the updated guidance to deal with the fallout from the supply chain attack, CISA now says that all government agencies still running the SolarWinds Orion platform must update to the latest version by the end of 2020. All systems running Orion that cannot be updated by that deadline must be taken offline. This update comes after security researchers discovered a new actively exploited Orion vulnerability over the holiday weekend, an authentication bypass in the Orion API that allows attackers to execute remote code on Orion installations. This was being used to install the Supernova malware on servers, a completely separate attack from the supply chain attack.
Emotet strikes Lithuanian health infrastructure
The internal networks of Lithuania’s National Center for Public Health (NVSC) and several municipalities were infected by the botnet, as part of a larger attack on the country’s state institutions. Once infected, systems began sending fake emails or engaging in other types of malicious activity. On December 29th, NVSC shut down its email systems to stop further spread of Emotet. After investigation, the malware was able to spread undetected as it was sending reply messages with malicious code in password protected attachments with the password included in the email body. This is the second large-scale Emotet campaign to hit Lithuania this year.
Apple loses copyright case against Corellium
Last summer, Apple sued the security startup over copyright infringement for providing an emulated version of the iOS operating system. U.S. District Judge Rodney Smith ruled in favor of Corellium, saying the emulation amounted to fair use, given that it was “transformative” for security researchers by adding capabilities like letting users see and halt running processes and take live snapshots. In the ruling, Judge Smith did say Apple may still pursue a separate federal lawsuit on the grounds that Corellium circumvented its security measures when creating its software.
Thanks to our episode sponsor, ReversingLabs
FBI investigating hijacked smart home devices
Attackers were hijacking the devices to access microphones and video feeds on them, in order to watch victims get swatted, or have the police called on them. The attackers used credential stuffing, attempting to reuse passwords and usernames previously leaked in other data breaches, to access the devices. In some instances, the attackers also live streamed the video from the compromised devices over the internet. Many of the calls made to police to initiate the swatting were done through dark web services or Discord bots that allow for anonymous calls. The FBI said its working with device makers to better inform customers about setting unique passwords, and advising local first responders about this new tactic.
Wasabi knocked offline for hosting malware
The cloud storage provider usually boasts of 11 9s of data durability, but it’s availability took a hit after having its wasabisys.com taken offline. This occurred when the company’s domain registrar found malicious content hosted on the domain. The registrar forwarded the abuse notification to the wrong email and Wasabi was never notified. This resulted in a temporary suspension of the domain, where almost all of the company’s storage buckets are hosted. After removing the malicious content and responding to the registrar, the domain was restored 13 hours later.
Apple removes iOS app for finding underground parties
The Vybe Together was removed from the iOS App Store, as it offered to organize and attend underground parties, often in violation of state or city COVID-19 rules. The app’s TikTok account was also banned. In a statement to the Verge, one of the app’s co-founders said the app had a few thousand users, with several thousand additional applicants that had requested access. The app seemingly launched originally using the name Trendies.
How do we close the cyber skills gap?
This question was addressed in a recent editorial by Fortinet Vice President Rob Rashotte. An early 2020 survey by the company found that 76% of respondents thought skill shortages were creating added risks for organizations, with a 2019 study finding an additional 4 million cybersecurity professionals needed to fill the void. Rashotte makes the case that continuous learning is essential to bring in and keep cyber skills up to date with the evolving threat landscape. He further calls on private organizations to coordinate with nonprofits and academic institutions to provide training, certifications and mentoring, as well as opening up the training programs to create an equitable, diverse and inclusive pipeline. While employees need to stay on top of skills, Rashotte argues that private organizations need to lead in expanding who has access to training in the first place.