AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 08/23/2021

AT&T denies data breach after hacker auctions 70 million user database

AT&T says that they did not suffer a data breach after a well-known threat actor claimed to be selling a database containing the personal information of 70 million customers. The threat actor, known as ShinyHunters, began selling this database yesterday on a hacking forum with a starting price of $200,000 and incremental offers of $30,000. The hacker states that they are willing to sell it immediately for $1 million. From the samples shared by the threat actor, the database contains customers’ names, addresses, phone numbers, Social Security numbers, and date of birth. A security researcher who wishes to remain anonymous told BleepingComputer that two of the four people in the samples were confirmed to have accounts on att.com.


Hackers can bypass Cisco security products in data theft attacks

Cisco said that unauthenticated attackers could bypass TLS inspection filtering tech in multiple products to exfiltrate data from previously compromised servers inside customers’ networks. In such attacks, the threat actors can exploit a vulnerability in the Server Name Identification (SNI) request filtering impacting 3000 Series Industrial Security Appliances (ISAs), Firepower Threat Defense (FTD), and Web Security Appliance (WSA) products. “Using SNIcat or a similar tool, a remote attacker can exfiltrate data in an SSL client hello packet because the return server hello packet from a server on the blocked list is not filtered,” Cisco explained. “This communication can be used to execute a command-and-control attack on a compromised host or perform additional data exfiltration attacks.” So far, the Cisco Product Security Incident Response Team (PSIRT) is not aware of attackers or malware exploiting this security flaw in the wild.


T-Mobile data breach just got worse — now at 54 million customers

The T-Mobile data breach keeps getting worse as an update to their investigation now reveals that cyberattack exposed over 54 million individuals’ data. Last weekend, a threat actor began selling the personal information of 100 million T-Mobile customers on a hacking forum for six bitcoin (~$280K). The hacker said that the stolen database contains the data for approximately 100 million T-Mobile customers. The exposed data can include customers’ IMSI, IMEI, phone numbers, customer names, security PINs, Social Security numbers, driver’s license numbers, and date of birth. The hackers said the database was stolen approximately two weeks ago and contains customer data from as far back as 2004. “Their entire IMEI history database going back to 2004 was stolen,” the hacker told BleepingComputer.


Cloudflare says it mitigated a record-breaking 17.2M rps DDoS attack

Internet infrastructure company Cloudflare disclosed today that it mitigated the largest volumetric distributed denial of service (DDoS) attack that was recorded to date. The attack, which took place last month, targeted one of Cloudflare’s customers in the financial industry. Cloudflare said that a threat actor used a botnet of more than 20,000 infected devices to flung HTTP requests at the customer’s network in order to consume and crash server resources. Called a volumetric DDoS, these are different from classic bandwidth DDoS attacks where threat actors try to exhaust and clog up the victim’s internet connection bandwidth. Instead, attackers focus on sending as many junk HTTP requests to a victim’s server in order to take up precious server CPU and RAM and prevent legitimate users from using targeted sites. Cloudflare said this attack peaked at 17.2 million HTTP requests/second (rps), a figure that the company described as almost three times larger than any previous volumetric DDoS attack that was ever reported in the public domain.


GitHub Encourages Users to Adopt Two-Factor Authentication

Software repository platform GitHub is once again encouraging users to enable two-factor authentication (2FA) to better secure their accounts. The Microsoft-owned hosting service has had support for 2FA for eight years, and is now pushing for a wider use of the feature after it stopped accepting account passwords for authenticating Git operations. Initially announced in July 2020 and in effect starting August 13, 2021, the change requires the use of token-based authentication (personal access token, SSH keys, or an OAuth or GitHub App installation token) for all Git operations. Following this switch, GitHub is now encouraging all of its users to enable 2FA to better protect their accounts, once again reminding them of the benefits of this feature, such as better protection against phishing and other types of attacks.


LockFile: Ransomware Uses PetitPotam Exploit to Compromise Windows Domain Controllers

What appears to be a new ransomware family is being used to target victims in various industries around the globe. The LockFile ransomware was first observed on the network of a U.S. financial organization on July 20, 2021, with its latest activity seen as recently as August 20. LockFile has been seen on organizations around the world, with most of its victims based in the U.S. and Asia. Indications are that the attackers gain access to victims’ networks via Microsoft Exchange Servers, and then use the incompletely patched PetitPotam vulnerability to gain access to the domain controller, and then spread across the network. It is not clear how the attackers gain initial access to the Microsoft Exchange Servers. Victims are in the manufacturing, financial services, engineering, legal, business services, and travel and tourism sectors.

Related Posts