Between AT&T, all the follow-on activity from Snowflake, Microsoft Outlook, and more, it’s best to probably just assume at this point that your personal information has somehow been involved in a data breach.
We’re only halfway through 2024, and we’ve already seen some of the largest data breaches and leaks in history. Telecommunications provider AT&T disclosed earlier this month that adversaries stole a cache of data that contained the phone numbers and call records of “nearly all” of its customers, which equates to about 110 million people.
Even if you’ve yet to receive the dreaded boilerplate notification email from any company, it’s probably just best for all of us to assume that some of our personal information has been accessed, leaked or stolen over the past few years, or it’s going to be eventually.
I took this as an opportunity to check for myself. The ever-popular Have I Been Pwned? says my personal email address has been involved in 14 breaches, some dating back to 2017 and one as recently as June.
Thankfully, Trend Micro’s ID Protect says that my personal cell phone hasn’t been involved in any data breaches, but that certainly hasn’t stopped me from getting my fair share of spam texts and phone calls.
Outside of those two search engines, I felt like this would be a good space to provide additional resources and advice for anyone reading this. Even if you haven’t been a part of the recent spate of data breaches, I think it’s a good idea to take these steps now anyway, because you never know when the next breach is going to happen.
- Stop reusing passwords. Use a free password manager to generate random, secure passwords for each new account you create. That way, if one of your passwords *is* leaked, it makes it impossible for adversaries to start using those leaked credentials to try and brute force their way into other accounts.
- Once you enroll in that password manager, use it to frequently update and rotate your passwords.
- Enroll in multi-factor authentication. Using any type of MFA will ensure bad actors aren’t using any leaked credentials to log into other devices, so even if they have a complete set of usernames and passwords, you can still deny their login.
- Initiate a fraud alert to credit reporting agencies. Of course, this only applies to users who live in the U.S. (though I’m sure other countries have something similar; I can only confidently write about the process in the U.S.). This will let potential lenders know that you may be the victim of fraudulent activity so they will take extra steps to ensure it’s actually you filling out a credit application.
- If a company responsible for exposing your information offers you free credit monitoring, take advantage of it. We’ll be covering what identity monitoring does for users in tomorrow morning’s episode of Talos Takes, so stay tuned!
- Set up a unique passcode needed to make changes to certain accounts. AT&T is specifically advising customers to set up a passcode needed to prevent any significant account changes, such as porting phone numbers to another carrier.
The one big thing
Speaking of data breaches, adversaries know that users and companies are concerned about this threat, too, and they’re leveraging that in phishing attacks and scams. Talos researchers recently observed an ongoing cryptocurrency heist scam since as early as January 2024, leveraging hybrid social engineering techniques such as vishing and spear phishing, impersonating individuals and legitimate authorities to compromise the victims by psychologically manipulating their trust with social skills. Impersonating investigation officers of CySEC (Cyprus Securities and Exchange Commission), the scammers in this campaign are using a lure theme of refunding a fake seized amount from a fraudulent trading activity in Opteck trading platform to compromise the victims.
Why do I care?
This particular campaign seems to be successful, as wallets connected to the group have received tens of thousands of U.S. dollars in the Ethereum cryptocurrency. But this is also evidence of a broader trend on the threat landscape: Attackers are going to be using data breaches as a threat and lure going forward. Users who are afraid of their data being leaked may be more likely to click on a phishing email or lure document that claims to have information on a leak. Or they may be more open to clicking on a link claiming to lead to “free” identity monitoring.
So now what?
The significance of data breaches is facilitating the adversaries in their scam campaigns providing them the information needed to execute fraudulent activities, causing extensive financial, reputational, and psychological damage to individuals and organizations. So, creating security awareness in public is a preliminary responsibility of the organizations and security community. It empowers individuals to protect themselves and supports organizational security efforts. By fostering a culture of security awareness, the risks associated with data breaches and scam campaigns can be reduced.
Trend Micro’s Zero Day Initiative publicly called out Microsoft for not crediting their researchers for a recently disclosed vulnerability. Security researchers at ZDI say they first informed Microsoft of the vulnerability in May and hadn’t heard anything about it again until it showed up in July’s Patch Tuesday, Microsoft’s monthly security update. The ZDI blog post has generated additional conversations in the security community about the pros and cons of coordinated vulnerability disclosure and existing problems with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) CVD program. There is also still uncertainty on the exact nature of the vulnerability, CVE-2024-38112. The initial discoverers say it is a remote code execution vulnerability that should be considered critical, though when Microsoft disclosed it, it came with a lower CVSS score and identified it as a spoofing vulnerability. “CVD doesn’t work if the only ones coordinating are the researchers. While these are Microsoft examples, there are multiple occasions from various vendors where ‘coordination’ simply means ‘You tell us everything you know about this bug, and maybe something will happen,’” Trend Micro wrote in their blog post. (Zero Day Initiative, The Register)
A data breach unmasked the company behind the spyware mSpy and a list of its customers. According to the data leak site Have I Been Pwned?, unknown attackers stole millions of customer support tickets, eventually leaking 142GB of data. The leaked information includes personal details of customers, emails to mSpy’s support team and email attachments. mSpy promotes itself as a phone surveillance app that can track users’ children or employees. However, it is often used to monitor people without their consent, like most spyware. The stolen data includes customer and user emails to mSpy support via the third-party software Zendesk. Leaked emails include targets who did not wish to have the spyware tracking their device, including journalists, and even U.S. law enforcement agents looking to file subpoenas or legal demands with the company. Once installed on an infected device, mSpy can monitor keystrokes, review text messages, track users’ locations, scrape their social media accounts and view the target’s sent and received photos. (TechCrunch, PC World)
The Iranian APT MuddyWater added a new backdoor to its malware arsenal known as BugSleep. Security researchers say the malware “partially replaces” the actor’s traditional use of legitimate remote monitoring tools. MuddyWater is known for its connections to Iran’s Ministry of Intelligence and Security (MOIS). The group’s most recent campaign included sending phishing emails that invite targets to attend online classes and webinars to 10 different Israeli companies. Some versions of BugSleep come with a custom malware loader that injects the backdoor into the active processes of several well-known software, including Microsoft Edge, Google Chrome and Microsoft OneDrive, so taht it can remain undetected. Talos has reported on several MuddyWater campaigns over the past few years against entities spread throughout the U.S.A, Europe, Middle East and South Asia. Their campaigns are primarily designed to either steal sensitive information or execute ransomware on a targeted network. (The Register, Bleeping Computer)
- Cisco Talos Report Reveals Critical Insights in Ransomware Trends
- Cisco Talos analyzes attack chains, network ransomware tactics
- Cisco Talos: Top Ransomware TTPs Exposed
- Talos Takes Ep. #190: What we learned from studying the TTPs of the 14 most active ransomware groups
BlackHat USA (Aug. 3 – 8)
Las Vegas, Nevada
Defcon (Aug. 8 – 11)
Las Vegas, Nevada
BSides Krakow (Sept. 14)
Krakow, Poland
Most prevalent malware files from Talos telemetry over the past week
SHA 256: c67b03c0a91eaefffd2f2c79b5c26a2648b8d3c19a22cadf35453455ff08ead0
MD5: 8c69830a50fb85d8a794fa46643493b2
Typical Filename: AAct.exe
Claimed Product: N/A
Detection Name: PUA.Win.Dropper.Generic::1201
SHA 256: 161937ed1502c491748d055287898dd37af96405aeff48c2500b834f6739e72d
MD5: fd743b55d530e0468805de0e83758fe9
Typical Filename: KMSAuto Net.exe
Claimed Product: KMSAuto Net
Detection Name: W32.File.MalParent
SHA 256: 24283c2eda68c559f85db7bf7ccfe3f81e2c7dfc98a304b2056f1a7c053594fe
MD5: 49ae44d48c8ff0ee1b23a310cb2ecf5a
Typical Filename: nYzVlQyRnQmDcXk
Claimed Product: N/A
Detection Name: Win.Dropper.Scar::tpd
SHA 256: bea312ccbc8a912d4322b45ea64d69bb3add4d818fd1eb7723260b11d76a138a
MD5: 200206279107f4a2bb1832e3fcd7d64c
Typical Filename: lsgkozfm.bat
Claimed Product: N/A
Detection Name: Win.Dropper.Scar::tpd
SHA 256: 9be2103d3418d266de57143c2164b31c27dfa73c22e42137f3fe63a21f793202
MD5: e4acf0e303e9f1371f029e013f902262
Typical Filename: FileZilla_3.67.0_win64_sponsored2-setup.exe
Claimed Product: FileZilla
Detection Name: W32.Application.27hg.1201