Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: Don’t use “admin” accounts for daily activities
Never use an administrator account or other privileged “super user” credentials for your day-to-day work. Admin accounts provide heightened access to your system – and potentially others – so they only be used in cases where those powers are required. If your device is lost, stolen, or hacked, administrator privileges could be abused. And even if malice is not involved, unnecessary overuse of admin accounts could create opportunities for innocent errors. Set up one account for daily use, and leave admin for appropriate occasions only.
Revenge motive behind massive T-Mobile breach?
According to a report in The Wall Street Journal, a 21-year-old American now living in Turkey has taken credit for being the ringleader behind the massive T-Mobile hack that exposed the sensitive information of more than 50 million people.
Virginia-born John Binns was originally identified as a possible culprit by Alon Gal, CTO of security firm Hudson Rock, in August 2021. Gal had allegedly been contacted by Binns, saying that the attack was intended to harm U.S. infrastructure in retaliation for the “kidnapping and torture of John Erin Binns (CIA Raven-1) in Germany by CIA and Turkish intelligence agents in 2019”. Gal, whose account has since been suspended by Twitter, reported his conversation in a series of tweets in August.
According to the WSJ article, Binns has provided compelling evidence supporting his claim of responsibility. Binns allegedly conducted the attacks from his home in Turkey, where he has lived since 2018. In July 2021, after the alleged abduction and torture incidents, Binns began searching for gaps in T-Mobile’s defenses by scanning its Internet addresses. Eventually he discovered an unprotected router, through which he gained access to a Washington State data centre. From there, he was able to explore and gain access to over 100 corporate servers; by August 4 he had stolen millions of files containing personal customer information. News of the breach hit headlines in mid-August when a cache of T-Mobile data appeared for sale on the dark web.
Microsoft patches serious, months-old vulnerability in Azure
Researchers at Santa Clara, California-based security firm Wiz have published a bulletin advising of a significant flaw in the Cosmo DB feature in Microsoft Azure.
According to the bulletin, the flaw gave “any Azure user full admin access (read, write, delete) to another customer’s Cosmos DB instances without authorization. The vulnerability has a trivial exploit that doesn’t require any previous access to the target environment and impacts thousands of organizations, including numerous Fortune 500 companies.”
The Wiz advisory claims that they found the flaw on August 9, and reported it to Microsoft on August 12. Microsoft disabled the feature on August 14, and ultimately released a patch on Azure that went into production on August 26.
On August 26, Microsoft issued an email statement to about 30% of its Cosmos DB users, seeking to address concerns about the risks: “We have no indication that external entities outside the researcher had access to the primary read-write key associated with your Azure Cosmos DB account(s). In addition, we are not aware of any data access because of this vulnerability. Azure Cosmos DB accounts with a vNET or firewall enabled are protected by additional security mechanisms that prevent risk of unauthorized access.”
However, Wiz, who were awarded a $40,000 USD bug bounty reward for isolating and documenting the vulnerability, warn that the flaw has existed for months, and every Cosmos DB customer should assume they’ve been exposed. Both Wiz and Microsoft encourage users of the product to regenerate and rotate their primary read-write Cosmos DB keys for each of the affected Azure Cosmos DB accounts as a precaution.
Due to potential seriousness of the bug, full details of the flaw have not yet been released. Wiz is planning to publish a technical paper describing their findings in the near future.
New Hampshire town loses $2.3M in email scam
In an August 23 press release, the Town of Peterborough, New Hampshire, confirmed that it had been the victim of a business email compromise (BEC) in July 2021: “It pains us to inform the residents and taxpayers of Peterborough that like so many other towns and cities, we have fallen victim to an internet-based crime that has defrauded our taxpayer of $2.3 million [all figures USD].”
Town officials said they first learned of the losses on July 26 after the local Contoocook Valley School District reported not receiving its customary monthly funding of $1.2 million.
The town’s investigation into the lost payment revealed that threat actors had used spoofed email accounts and forged documents to redirect the town’s payment to the hackers’ account.
During the subsequent investigation, the press release indicated that two further hijacked payments had been identified, apparently totalling $1.1 million, originally destined for local contractors working on bridge rehabilitation project.
In both cases, town officials followed official protocol and notified the U.S. Secret Service, the town’s cyber insurance provider, and a designated cybersecurity firm. The Secret Service Cyber Fraud Task Force traced transactions involving the stolen funds and have determined the full amounts have been converted to cryptocurrency.
“We do not believe that the funds can be recovered by reversing the transactions, and we do not yet know if these losses will be covered by insurance,” advised the press release. While its insurance claim is being evaluated, the town is reportedly reaching out to the Governor of New Hampshire for assistance.
The press release was silent on the suspected identity of the hackers, beyond confirming that the forged email communications came from “overseas”. The finance department staffers who were tricked by the BEC were placed on leave until the investigation is completed, but there are no indications that insiders were criminally involved in the attack.
The incident is a sobering reminder of the devastating impact cyber attacks can have on smaller municipalities: Peterborough, NH, a town of about 7000 people, has an annual budget of about $15.8 million – meaning the hackers have stolen nearly %15 of the year’s resources.