Weekly Summary

SPOTLIGHT, VULNERABILITY CHAT & PRIVACY HEADLINES
Share this analysis
Cuba Breach Exposure Monitoring

Cuban Mobile Operator Data Breach Exposes Sensitive User Information

02 September 2024
BREACHAWARE HQ

A total of 26 breaches were found and analysed resulting in 33,301,424 leaked accounts containing a total of 29 different data types. The breaches found publicly and freely available included ShopBack, JKAmaret, Allegedly Habibs, Talent Smart EQ [URL redirected] and Stealer Log 0480. Sign in to view the full BreachAware Breach Index which includes, where available, reference articles relating to each breach.

SPOTLIGHT

A Cuban mobile operator and delivery service has just experienced a data breach. The threat actor responsible for exfiltrating the data seems to be new on the scene and is quickly making a name for themselves. The company in question already has a reputation for unsatisfactory online practices, with numerous customers complaining about their information being shared with third parties and the relentless SMS advertising from the company. If only these customers knew that things are likely to get worse now that this data is freely circulating on various hacking platforms. A significant amount of personally identifiable information was exposed.

Meanwhile, the National Crime Agency (NCA) in the UK has been busy. They’ve successfully taken down a caller ID spoofing website called Russiancoms, which sold mobile phones running a customised version of Android loaded with features useful to cybercriminals. For example, these phones could spoof any number, including international calls, law enforcement, and banking numbers. They even came with a built-in voice distortion feature to mask the user’s real voice during fraudulent activities. At the time of writing, the group behind this operation was running a significant business; three people have been arrested, but more arrests are expected as the NCA now has a copy of their user base. These phones were used to make scam calls to individuals in over 100 different countries, with the NCA estimating that users were responsible for 1.8 million scam calls.

In the US, the FBI, every threat actor's least favourite government agency, has seen a small portion of its files leaked on a popular cybercrime forum. As of this writing, the leak occurred several days ago, and the list of headers gives a good overview: "Terrorism Fighting Data, White House Mailing List, FBI Top Employees (Name, Role, Location), Federal Jobs Listing, FBI Employees' Images, and more..." The leak comprises over 133 MB of data spread across 351 files, exposing a range of information including physical addresses, full names, and dates of birth, among other details. This type of leak could seriously impact the lives of FBI agents, making them easy targets for criminals seeking to extort or compromise the agency.

VULNERABILITY CHAT

Microsoft has identified a North Korean threat actor exploiting a zero-day vulnerability in Chromium to gain remote code execution (RCE). They assessed with high confidence that this activity is linked to a North Korean threat actor targeting the cryptocurrency sector for financial gain. Ongoing analysis and observed infrastructure have led them to attribute this activity with medium confidence to a group known as Citrine Sleet. The United States government has assessed that North Korean actors like Citrine Sleet will likely continue targeting vulnerabilities in cryptocurrency technology firms, gaming companies, and exchanges to generate and launder funds in support of the North Korean regime.

Chinese state-sponsored actors, known as Volt Typhoon or Bronze Silhouette, are actively exploiting a zero-day vulnerability in software used by many internet service providers and computer network management companies. The flaw was discovered in Versa Director, a critical component in managing SD-WAN networks used by some ISPs. For threat actors, this is a lucrative target, enabling them to view or control network infrastructure at scale or pivot into additional networks of interest.

Cisco has disclosed a critical vulnerability in its NX-OS software that could allow unauthenticated, remote attackers to cause a denial-of-service (DoS) condition on affected devices. Cisco has released software updates to address the vulnerability and strongly recommends that customers upgrade to a fixed version as soon as possible. Currently, there are no workarounds available to fully mitigate this security flaw.

Threat actors are actively exploiting a now-patched critical security flaw impacting Atlassian Confluence Data Center and Confluence Server to conduct illicit cryptocurrency mining on vulnerable instances. The security vulnerability is a maximum severity bug in older versions of Atlassian Confluence Data Center and Confluence Server that could allow unauthenticated attackers to achieve remote code execution. The Australian software company addressed the issue in mid-January 2024.

Fortra has addressed a critical security flaw impacting FileCatalyst Workflow that could be exploited by a remote attacker to gain administrative access. "The default credentials for the setup HSQL database (HSQLDB) for FileCatalyst Workflow are published in a vendor knowledge base article," Fortra stated in an advisory. "Misuse of these credentials could compromise the confidentiality, integrity, or availability of the software."

According to Akamai researchers, an outdated AVTECH camera provides an ideal source for spreading the notorious Mirai malware, which is used to establish botnets. The vulnerable device is the AVTECH AVM1203 dome camera. Researchers discovered this flaw after setting up several honeypots that posed as this type of camera.

Security researchers have uncovered a vulnerability in a key air transport security system that could allow unauthorised individuals to bypass airport security screenings and gain access to aircraft cockpits. Researchers Ian Carroll and Sam Curry identified the vulnerability in FlyCASS, a third-party web-based service used by some airlines to manage the Known Crewmember (KCM) program and the Cockpit Access Security System (CASS). The Department of Homeland Security (DHS) acknowledged the seriousness of the issue and confirmed that FlyCASS was disconnected from the KCM/CASS system on May 7, 2024, as a precautionary measure. The vulnerability was subsequently fixed in FlyCASS.

In collaboration with the Munich-based company MGM Security Partners, the German Federal Office for Information Security (BSI) examined the source code of the messenger service Matrix and the social media application Mastodon. The findings report on the Twitter alternative Mastodon identified two vulnerabilities, which involve cross-site scripting vulnerabilities in Contribsys Sidekiq version 6.5.8. These vulnerabilities could allow an attacker to obtain confidential information remotely via a manipulated payload. Researchers also discovered a by-passable rate-limiting flaw that is exacerbated by the application’s use of trivial passwords and the ability to enumerate valid usernames without limit.

North Korean-aligned threat actors have renewed their malicious campaign on npm, publishing multiple packages since August 12, 2024. This campaign, linked to the C2 “Contagious Interview,” utilises multi-layered, obfuscated JavaScript that retrieves additional malware features from the internet. It also uses Python scripts and even a fully functioning version of the Python interpreter to secretly install browser extensions for cryptocurrency wallets, continuously searching for and stealing their sensitive content.

3 Common Vulnerability and Exposure (CVEs) were added to the CyberSecurity & Infrastructure Security Agency's (CISA) 'Known Exploited Vulnerabilities Catalog' last week including Google (Chromium V8). See the full catalog here: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

NIST's National Vulnerability Database (NVD), the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP), has published 522 vulnerabilities last week, making the 2024 total 26,480. For more information visit https://nvd.nist.gov/vuln/search/

INFORMATION PRIVACY HEADLINES

Pavel Durov, the founder and CEO of Telegram, was arrested as he stepped off his private jet in Paris on Saturday, August 24. This marks the first time a social media executive has been jailed for crimes allegedly committed on their platform. Durov was released on Wednesday after paying a €5 million bail but is prohibited from leaving the country as authorities have placed him under criminal investigation. In a statement, Telegram asserted that the platform "abides by EU laws," including the Digital Services Act, and added, "It is absurd to claim that a platform or its owner are responsible for abuse of that platform."

Although the Recall feature of Windows 11 has not yet launched, it has already sparked significant controversy since its announcement. However, Microsoft has now decided to make Recall an opt-in feature and to offer it as an optional component of Windows 11.

The UK's Information Commissioner's Office (ICO) has issued a reprimand to the Labour Party for repeatedly failing to respond to subject access requests (SARs) from individuals seeking to know what personal information the party held on them. In November 2022, the Labour Party had received 352 SARs that required a response. Of these, 78% did not receive a response within the mandatory three-month time limit, and over half (56%) were significantly delayed by more than a year.

Supermarkets in France are testing new video surveillance systems at self-checkouts, which are proving more effective than traditional methods but raising concerns about personal freedoms. According to the newspaper Le Parisien, Intermarché supermarket in Var is using a system that combines payment with anti-theft video surveillance. The self-service checkouts are equipped with cameras focused on customers' hands as they scan and bag each item, designed to detect 'suspicious gestures.'

Breach Exposure Monitoring | Dark Web Monitoring + Surface Web Monitoring
Scan Any Domain for Free https://breachaware.com/scan

DATA CATEGORIES DISCOVERED

Contact Data, Socia-Demographic Data, Technical Data, Financial Data, Locational Data, Usage Data, Documentary Data, Transactional Data, Social Relationships Data, Special Category.

  • Key Statistics
  • Breaches Discovered
    0
  • ACCOUNTS DISCOVERED
    0
  • DATA TYPES DISCOVERED
    0