T-Mobile US exposes some customer data – but don't call it a breach
PLUS: Trojan hidden in PoC; cyber insurance surge; pig butchering's new cuts; and the week's critical vulns
Infosec in brief T-Mobile US has had another bad week on the infosec front – this time stemming from a system glitch that exposed customer account data, followed by allegations of another breach the carrier denied.
According to customers who complained of the issue on Reddit and X, the T-Mobile app was displaying other customers' data instead of their own – including the strangers' purchase history, credit card information, and address.
This being T-Mobile's infamously leaky US operation, people immediately began leaping to the obvious conclusion: another cyber attack or breach.
"There was no cyber attack or breach at T-Mobile," the telco assured us in an emailed statement. "This was a temporary system glitch related to a planned overnight technology update involving limited account information for fewer than 100 customers, which was quickly resolved."
Note, as Reddit poster Jman100_JCMP did, T-Mobile means fewer than 100 customers had their data exposed – but far more appear to have been able to view those 100 customers' data.
As for the breach, the appearance of exposed T-Mobile data was alleged by malware repository vx-underground's X (Twitter) account. The Register understands T-Mobile examined the data and determined that independently owned T-Mobile dealer, Connectivity Source, was the source – resulting from a breach it suffered in April. We understand T-Mobile believes vx-underground misinterpreted a data dump.
Connectivity Source was indeed the subject of a breach in April, in which an unknown attacker made off with employee data including names and social security numbers – around 17,835 of them from across the US, where Connectivity appears to do business exclusively as a white-labelled T-Mobile US retailer.
Looks like the carier really dodged the bullet on this one – there's no way Connectivity Source employees could be mistaken for its own staff.
T-Mobile US has already experienced two prior breaches this year, but that hasn't imperilled the biz much – its profits have soared recently and some accompanying sizable layoffs will probably keep things in the black for the foreseeable future.
Critical vulnerabilities of the week
Gitlab this week released a security update for Enterprise Edition that addresses a critical issue allowing an attacker to run pipelines as an arbitrary user via scheduled security scan policies, which was itself a bypass of a previous security issue. Patch – or if that's not an option, disable either direct transfers or security policies, which will prevent the vulnerability from being exploited.
Atlassian also addressed a quartet of rather serious issues in a patch this week, including an RCE vulnerability in Bitbucket Data Center and Server and a DoS vulnerability in Confluence's similarly named products.
Some rather serious OT vulnerabilities to point out this week, too:
- CVSS 9.8 – CVE-2023-2262: A whole bunch of Rockwell Automation 1756 series Logix comms modules are vulnerable to an RCE exploit.
- CVSS 9.8 – CVE-2023-2071: Rockwell's FactoryTalk View Machine Edition software versions 13.0 and 12.0 and prior also contain a vulnerability that can be used to trigger RCE.
- CVSS 9.6 – Multiple CVEs: Rockwell's Connected Components Workbench software also has some serious vulnerabilities – in this case a series that could be used to allow an attacker to exploit heap corruption with specially crafted HTML.
- CVSS 9.4 – CVE-2023-4523: Real Time Automation's 460 series MCBS gateways are vulnerable to cross-site scripting.
- CVSS 8.2 – CVE-2023-38557: Siemens Spectrum Power 7 software versions prior to V23Q3 are assigning improper access rights to update scripts, giving an attacker a way to elevate their privileges.
Several known vulnerabilities were spotted being exploited in the wild this week:
- CVSS 9.8 – CVE-2021-3129: Ignition error page software before 2.5.2, as used in the Laravel PHP framework and other suites, lets unauthenticated users execute arbitrary code.
- CVSS 9.3 – CVE-2022-31462: Owl Labs Meeting Owl software version 22.214.171.124 contains a hardcoded backdoor password derived from the device's serial number, and it can be found in Bluetooth broadcast data.
- CVSS 8.8 – CVE-2023-28434: GitHub's Minio multi-cloud object storage framework contains a vulnerability that can be used to bypass metadata bucket name checking to allow for arbitrary object placement.
- CVSS 8.8 – CVE-2017-6884: Zyxel EMG2926 home router firmware contains a command injection vulnerability in its implementation of
- CVSS 7.2 – CVE-2023-41179: Trend Micro's Apex One, both on-prem and SaaS versions, contain a vulnerability in their third party AV uninstaller module that can allow an attacker to execute arbitrary commands.
Warning: That PoC might contain more than you bargain for
There are plenty of reasons why security researchers publish proof of concept (PoC) code for the vulnerabilities they discover, but some ingenious malware actor has figured out PoCs are also a clever way to distribute malware.
Researchers from Palo Alto Networks' Unit 42 said they've discovered a fake PoC for a remote code execution vulnerability in WinRAR that was identified on August 17. Only four days after the Zero Day Initiative disclosed the vulnerability a fake PoC was uploaded to GitHub by a threat actor using the alias "whalersplonk."
The fake PoC script was based on another PoC that exploited an SQL injection vulnerability with the ultimate goal of installing the VenomRAT malware.
Unit 42 said it's unlikely whalersplonk specifically targeted security researchers, and likely aimed to compromise other threat actors who take advantage of new PoCs. "Based on a timeline of events, we believe the threat actor had created the infrastructure and payload independently from the fake PoC. Once the vulnerability was publicly released, the actors acted quickly to capitalize on the severity," Unit 42 explained.
Regardless, watch what you download.
Ransomware: Only getting worse, if insurance is a metric
Cyber insurance firm Coalition has released a mid-year look at the state of cyber security insurance, and found an increase in claims.
"The cyber threat landscape has become more volatile, and, as a result, we've seen claims become more severe and more common than ever," said Chris Hendricks, head of Coalition incident response.
Hendricks isn't kidding. Coalition reports that it saw a 27 percent year-over-year increase in the first half of 2023 in the number of ransomware claims, and said the severity of those claims increased by 61 percent in the same period, and 117 percent over the past year.
Ransom demands are up too, with the average demand being reported by Coalition clients up to $1.62 million (£1.3m) – a 47 percent increase over the past six months, and a 74 percent year-over-year increase.
This squares with data from other sources that have reported considerable rises in ransom demands over the past year. Unfortunately, with insurance firms willing to negotiate ransom payments, said payments are continuing, making the likelihood cyber criminals keep using the tactic all the greater.
So stop paying your ransoms – along with Hendricks's advice to "take an active role in improving … security defenses and make risk management a top priority."
Sophos warns of rise in pig butchering liquidity mining scam
Security software outfit Sophos warned last week that a variant of the common pig butchering scam targets liquidity mining of cryptocurrency.
One ring of pig butcherers Sophos uncovered operated out of 14 domains and net over $1 million in only three months.
An example of the con included a victim who was lured to a scammer on an online dating app. The victim was convinced to participate in an (unbeknownst to them) fake liquidity pool he believed would provide a percentage of any fee paid when a trade was made, using a legitimate cryptocurrency app, Trust Wallet.
However, to join the pool, he had to give permission to another account to access his wallet to facilitate trade. Someone subsequently abused that trust and siphoned off the victim's money.
Pig butchering scams got their rise in China before becoming a global nuisance. In the case Sophos outlined, the scammer pretending to be a love interest would sometimes accidentally and suspiciously respond to the victim in Chinese.
"What makes these sorts of scams particularly tricky is that they don't require any malware to be installed on a victim's device. They don't even involve a fake app, like some of those we've encountered in other CryptoRom scams. This entire fake liquidity pool was run through the legitimate Trust Wallet app," said Sophos researcher Sean Gallaher in a canned statement.
The researcher explained that while these scams were once rare, the security outfit is now seeing more than 500 fraudulent liquidity pool sites.
"Very few understand how legitimate cryptocurrency trading works, so it's easy for these scammers to con their targets. There are even toolkits now for this sort of scam, making it simple for different pig butchering operations to add this type of crypto fraud to their arsenal," said Gallagher. – Laura Dobberstein ®