T-Mobile US suffers second data theft within months
Also, Capita's buckets are leaking, ransomware attackers deliver demands via emergency alert, and this week's critical vulns
in brief We'd say you'll never guess which telco admitted to a security breakdown last week, but you totally will: T-Mobile US, and for the second time (so far) this year.
For those counting, this also makes the seventh incident in five years at the cellular provider – though this one is small compared to the 37 million subscribers whose data leaked in January. Only 836 customers were caught up in this one.
In a form letter shared by Infosecurity, T-Mobile said it detected unauthorized activity in its network in March, with illicit access beginning in late February. T-Mobile said no financial information or call logs were obtained, but account PINs and plenty of valuable PII was exfiltrated.
"The information obtained for each customer varied, but may have included full name, contact information, account number and associated phone numbers, T-Mobile account PIN, social security number, government ID, date of birth, balance due, internal codes that T-Mobile uses to service customer accounts (for example, rate plan and feature codes), and the number of lines," the "Un-carrier" explained in its letter.
For T-Mobile customers wondering if they were affected, letters were mailed out on April 28, so if you haven't received one you're probably fine. T-Mobile also said that it reset account PINs for affected customers, so if you've had trouble with your account that might be why.
T-Mobile has had tens of millions of customer records compromised over the years. Its first reported breach was in 2018 when two million records were accessed along with hashed passwords, and a year later more than a million customers had their data exposed. March and December of 2020 brought an additional pair of breaches, followed by a whopping 48 million customer records posted to the dark web in 2021.
Capita doesn't just get hacked – it also leaves its buckets open
Still reeling from the aftermath of a Black Basta break in, London-based digital services firm Capita is now contending with a security researcher's allegation it left an AWS S3 bucket unsecured for seven years.
The password-free bucket reportedly contained 3,000 files totaling 655GB – including software files, server images, spreadsheets, PowerPoint presentations and text documents, one of which the researcher said contained login details for one of Capita's systems. Filenames found in the bucket suggest it's still in use, too.
The researcher said they notified Capita in late April, and the bucket was secured shortly afterwards. Capita said nothing in the bucket was sensitive.
Misconfigurations in AWS S3 storage buckets are an incredibly common problem and have affected some large companies. Twilio, McGraw-Hill and even US military cyber resilience contractors have spilled their secrets thanks to leaky buckets.
Critical vulnerabilities of the week: Log4j still a thing
There isn't too much to report on the critical vulnerabilities front this week, but there is something interesting to note in the known exploited vulnerabilities that CISA cataloged this week: Another Log4j exploit is making the rounds.
Looks like the Department of Homeland Security was right.
This exploit is due to an incomplete fix applied to Apache Log4j that leaves room for attackers to exploit the vulnerability in certain non-default configurations. In this case, an attacker with control over Thread Context Map input data in environments with non-default logging configurations is able to craft malicious input data that can leak information and enable remote code execution. Patches are available, and this is a known exploit, so apply ASAP.
In other critical KEV news:
- CVSS 8.8 – CVE-2023-1389: TP-Link Archer AX21 (AX1800) firmware prior to v. 1.1.4 Build 20230219 contains a command injection vulnerability in its web management interface that can give an attacker command injection capabilities with root permissions.
Two industrial control system vulnerabilities were also reported:
- CVSS 9.8 – multiple CVEs: All versions of Dataprobe iBoot-PDU software prior to 1.42.06162022 contain a vulnerability chain that allow unauthenticated RCE on affected devices.
- CVSS 8.8 – multiple CVEs: A whole bunch of Mitsubishi EFA devices in the MELIPC, MELSEC iQ-R and MELSEC Q line of devices contain a third-party dependency that leaves them vulnerable to privilege escalation, DoS and parameter disclosure.
University text alert system hacked to deliver ransom demand
Students at Virginia's Bluefield University have enough to worry about this time of year, what with finals and all, but add a ransomware attack and text messages from hackers blowing up their phones to the mix and you have a recipe for one helluva finals week.
Bluefield reported the attack on Sunday, telling students and faculty that the incident could take days to resolve, but reassuring everyone that "as of now, we have no evidence indicating any information involved has been used for financial fraud or identity theft."
Unfortunately for the university, it appears the attacker behind the hack disagreed with that claim, and had gained access to the college's RamAlert system – typically used for things like weather alerts or shooter drills.
"We have admissions data from thousands of students," the attackers declared, claiming they had 1.2TB of data and that they're ready to use it. It's unclear how Bluefield is going to respond – so far they've only warned faculty not to use their university email, and delayed finals a day. ®