Cyber Security Headlines: Uber hacker arrested, Microsoft SQL hacked, CircleCI GitHub hack

London Police arrest 17-year-old hacker suspected of Uber and GTA 6 breaches

The City of London Police on Friday revealed that it has arrested a 17-year-old from Oxfordshire on suspicion of hacking. The department said the arrest was made as part of an investigation in partnership with the U.K. National Crime Agency’s cybercrime unit. No further details about the nature of the investigation were disclosed, although it’s suspected that the law enforcement action may have something to do with the recent string of high-profile hacks aimed at Uber and Rockstar Games. Both the intrusions are alleged to have been committed by the same threat actor, who goes by the name Tea Pot (aka teapotuberhacker). Uber, for its part, has pinned the breach on an attacker (or attackers) that it believes is associated with the LAPSUS$ extortion gang, two of whom are facing fraud charges. According to cybersecurity company Flashpoint, the real world identity of the hacker behind the two incidents is said to have been outed on an online illicit forum.

(The Hacker News)

Microsoft SQL servers hacked in TargetCompany ransomware attacks

Vulnerable Microsoft SQL servers are being targeted in a new wave of attacks with FARGO ransomware, security researchers are warning. BleepingComputer reported similar attacks in February, dropping Cobalt Strike beacons, and in July when threat actors hijacked vulnerable MS-SQL servers to steal bandwidth for proxy services. The latest wave is more catastrophic, aiming for a quick and easy profit by blackmailing database owners. Security researchers at AhnLab Security Emergency Response Center (ASEC) say that FARGO is one of the most prominent ransomware strains that focus on MS-SQL servers, along with GlobeImposter. This malware family has been referred to as “Mallox” in the past because it used to append the “.mallox” extension to the files it encrypts.

(Bleeping Computer)

Attackers impersonate CircleCI platform to compromise GitHub accounts

GitHub is warning of an ongoing phishing campaign targeting its users to steal credentials and two-factor authentication (2FA) codes by impersonating the CircleCI DevOps platform. The company learned of the attacks against its users on September 16, it pointed out that the phishing campaign has impacted many victim organizations except GitHub. Phishing messages claims that a user’s CircleCI session expired and attempt to trick recipients into logging in using GitHub credentials. The company pointed out that the accounts protected by hardware security keys are not vulnerable to this attack.

(Security Affairs)

Agencies don’t know what sensitive data new IT systems collect on Americans, GAO report finds

More than two decades after being tasked with establishing privacy programs, 14 federal agencies have failed to address key practices for protecting the sensitive personal data of Americans, a new Government Accountability Office report finds. Agencies that have failed to implement full privacy plans include the Office of Personnel Management, which was the target of a data breach in 2015 that exposed the sensitive personal information of more than 20 million government employees. Agencies that have not developed a full privacy strategy include the Departments of Agriculture, Defense, Justice, Homeland Security, Housing and Urban Development, Veterans’ Affairs, State, Treasury, Environmental Protection Agency and OPM. In addition, the U.S. agency that maintains and modernizes the country’s nuclear stockpile was criticized in the same report for lackluster cybersecurity policies that “endangered both IT and operational technology networks.”

(Cyberscoop and The Record)

Thanks to today’s episode sponsor, Votiro

“Can you trust that your content and data is free of malware and ransomware? With Votiro you can. Votiro removes evasive and unknown malware from content in milliseconds, without impacting file fidelity or usability. It even works on password-protected and zipped files. Plus, it’s an API, so it integrates with everything – including Microsoft 365. Learn more at”

VPN providers flee India as a new data law takes hold

Starting yesterday, India’s Computer Emergency Response Team aka CERT—a body appointed by the Indian government to deal with cybersecurity and threats—will require VPN operators to collect and maintain customer information including names, email addresses, and IP addresses for at least five years, even after they have canceled their subscription or account. Last year, India became the country with the highest rate of growth in the use of VPN services worldwide. During the first half of 2021, 348.7 million VPNs were installed, showing a 671 percent jump in growth when compared to the same period in 2020, according to a 2021 analysis by Atlas VPN. This massive growth can be attributed to continuous internet shutdowns, a rise in digital scams, and the need for Indians to protect themselves online. As a result, VPN companies from across the globe have pulled their servers out of the country in a bid to protect their users’ privacy.


Microsoft’s new security chief looks to AI to fight hackers

In a Q&A interview with Bloomberg, newly installed cloud-computing executive Charlie Bell shares his plan to use AI to fight hackers. He states that people in cybercrime are “innovating to break everything you build … every time we take a step forward in security, there’s somebody out there scratching their head saying, well, what do I do to get around that, how do I break that?” Analogizing the situation to a soccer game where the other side is cheating, it’s time to “shrink the goal down to just about the size of the soccer ball, stretch the field out to be 20 miles long.” The full interview is available at Bloomberg.


American Airlines learned it was breached from phishing targets

Following up on a story we brought you last week, American Airlines now says its Cyber Security Response Team found out about a recently disclosed data breach from the targets of a phishing campaign that was using an employee’s hacked Microsoft 365 account. The investigation also revealed the attacker accessed multiple employees’ accounts (also compromised via phishing attacks) and used them to send more phishing emails to targets American has not yet disclosed. The company added that the team members’ accounts also provided access to employee files stored on the Sharepoint cloud-based service. Through its investigation, American was able to determine that the unauthorized actor used an IMAP protocol to access the mailboxes. 

(Bleeping Computer)

Last week in ransomware

This past week saw some embarrassment for the LockBit ransomware operation when their programmer leaked a ransomware builder for the LockBit 3.0 encryptor. The LockBit 3.0 ransomware builder makes it easy for any would-be threat actor to roll out their own operation simply by modifying the enclosed configuration file to use custom ransom notes. Other research last week shows how the BlackMatter ransomware gang continues to evolve its operation by upgrading its BlackCat data exfiltration tool for double-extortion attacks, and ransomware attacks were noted at the New York Racing Association and a New York ambulance service. Also of course, the Microsoft SQL servers Mallox ransomware mentioned at the start of this newscast.

(Bleeping Computer)