We have gathered the week’s most important cybersecurity news.
- Microsoft accidentally exposed a link to 38 TB of employee data.
- Celsius creditors’ crypto wallets were targeted by phishing.
- A bug in the T-Mobile app exposed customers’ payment information.
- The dark web marketplace PIILOPUOTI was shut down.
Microsoft accidentally exposed a link to 38 TB of employee data
Microsoft’s AI division, while publishing a training data set on GitHub, inadvertently granted full access to an internal confidential data store. The issue was brought to attention by Wiz researchers.
The published link to Azure Storage was configured with a SAS token for sharing the entire account. In this way 38 TB of information were exposed, including personal backups from two Microsoft employees’ computers.
The backups contained confidential personal data, including passwords to company services, secret keys and more than 30 000 internal Microsoft Teams messages from 359 employees.
The incident occurred in late June. Two days after Wiz notified them, Microsoft’s incident response team revoked the SAS token, and a month later replaced it on GitHub.
In a statement, the company подчеркнули that customer data was not exposed and that other internal services were not at risk because of this issue.
Celsius creditors’ crypto wallets targeted by phishing
Ahead of the plan’s approval for reimbursement, creditors of the bankrupt обанкротившейся crypto-lending platform Celsius began receiving phishing emails. The report comes from Bleeping Computer.
The scammers pose as a claims agent at the firm — Stretto. The email offers creditors a seven-day window supposedly to recover frozen funds.
The link in the message directs to a phishing site where users are asked to connect their crypto wallet. With that connection, attackers gain full access to all assets on the balance.
Because some recipients are not Celsius customers, reporters suggested that the attackers may be using email addresses from earlier leaks of various crypto services. The scale of the phishing campaign remains unclear.
A bug in the T-Mobile app exposed customers’ payment data
Customers of T-Mobile were able to see third-party users’ data in the operator’s official mobile app. Numerous complaints appeared on Reddit and on X.
@TMobile Wow didn’t screenshot acct 1 of 3 that I’ve seen on MY APP. But here’s 2 and 3. Huge #breach pic.twitter.com/vuBr6GcTba
— Ka (@Ka83801602) September 20, 2023
The list of accessible information included clients’ names, phone numbers, addresses, balance data on their accounts, and card details, including the expiry date and the last four digits.
According to T-Mobile representatives, the systems were not hacked — the issue occurred during an app update. They added that the incident had a “limited impact” and affected fewer than 100 people.
Nevertheless, third-party experts warned that the leak could lead to SIM-swap attacks.
⚠️ Be wary of SIM swap risk arising from T-Mobile data breach. If you are a T-Mobile customer, stay vigilant against scams and attacks that misuse leaked information to deceive official T-Mobile support, potentially enabling SIM swap! @Foresight_News @wublockchain12 pic.twitter.com/2GdHMtTjDa
— 23pds (@IM_23pds) September 21, 2023
The PIILOPUOTI dark web marketplace shut down
Finnish customs, together with Europol, halted the PIILOPUOTI dark web marketplace and seized its domain.
According to the agency, the site facilitated trafficking and drug sales in the country since May 2022.
At present, the case remains under investigation, with Finnish authorities identifying the site’s vendors and users.
Experts documented exploitation of “untraditional” AWS services for covert mining
The Sysdig researchers detected a new cloud cryptojacking campaign, AMBERSQUID. It uses unusual AWS services, including AWS Amplify, AWS Fargate and Amazon SageMaker.
New cloud threat alert! ? Introducing AMBERSQUID ?, the stealthy #CloudNative cryptojacking operation costing victims $10,000/day. The #cyberattack dodged static scans & targeted multiple #AWS services, making detection a challenge. Dive into the details:https://t.co/cPKhMwJEOx
— Sysdig (@sysdig) September 18, 2023
The pivot to these services frees attackers from needing to request additional resources from AWS, as is the case in more traditional attacks on Amazon EC2.
Moreover, targeting several services requires detecting and removing miners from each of them.
Researchers linked the campaign to Indonesian criminals. Wallet analysis shows the hidden cloud mining has earned them about $18,300 to date.
A major Las Vegas casino network paid ransom of $15 million after a breach
Hackers stole the loyalty program database of Caesars Entertainment, which included driver’s licenses and customers’ Social Security numbers. Under threat of publication, the company paid the attackers $15 million.
According to SEC documents, the attack was detected on September 7. The investigation is ongoing, but Caesars Entertainment says the incident did not affect operations or customers’ payment data.
Researchers believe the attack was carried out by the Scattered Spider group, which recently attacked MGM Resorts.
Russia to block virtual-number services
The Russian government has deemed the use of virtual (DEF) numbers a threat to national security in communications and Internet services; services issuing numbers will be blocked from September 1, 2024, according to a resolution reported by TASS.
The document amends the rules for centralized management of the public communications network. The list of threats to this area was expanded with a point on providing users access to online resources and messaging apps without identification.
DEF numbers belong to foreign telecom operators, are leased, and are not linked to an individual’s personal data. As a result, attackers can create temporary accounts to publish illegal information or commit fraud using them.
RKN proposed blocking information on evading censorship
Roskomnadzor developed criteria for limiting access to information on ways to bypass Internet blocks.
The new prohibition directly targets VPN services, the Tor browser, anonymisers, and any information about the advantages of circumventing censorship.
Public discussion of the draft order will run until 6 October. The amendments will take effect on 1 March 2024.
Also on ForkLog:
- Нансен предупредили об утечке пользовательских данных.
- FTX потребовала от сотрудников филиала в Гонконге возврата $157,3 млн, а также подала в суд на родителей Сэма Бэнкмана-Фрида. Адвокаты последних отвергли претензии. Самого SBF оставили в тюрьме до начала слушаний.
- Россия выдала Кыргызстану предположительную соучредительницу «Финико».
- Стейблкоин ℓUSD обвалился до нуля после взлома DeFi-проекта Linear.
- Власти Гонконга заблокировали доступ к JPEX, которую уже считают крупнейшим местным криптоскамом.
- В Сингапуре заморозили $1,8 млрд, связанные с отмыванием криптовалют.
- СМИ: украинский чиновник заявил о пропаже криптовалют на $647 000.
- Экс-сотрудник Deutsche Bank выплатит $1,5 млн за криптомошенничество.
- Дело WEX: «Морячка» задержали перед слушанием, Билюченко дали 3,5 года.
- Balancer лишился $238 000 в ходе атаки на фронтенд.
- Юристу OneCoin отказали в пересмотре дела по отмыванию $400 млн.
- TikTok-мошенники использовали образ Илона Маска для кражи биткоинов.
- Coinbase непреднамеренно заработала $1 млн после взлома Curve.
- Хакеры взломали кошелек Марка Кьюбана на $870 000.
What to read this weekend?
An excerpt from Gaspard Koenig’s The End of the Individual, in which the author investigates whether AI could undo the “new feudalism.”