CyberWire Daily - AT&T's not so LOL hack.
Episode Date: July 12, 2024AT&T wireless announces a massive data breach. NATO will build a cyber defense center in Belgium. The White House outlines cybersecurity budget priorities.A popular phone spyware app suffers a major d...ata breach.Some Linksys routers are sending user credentials in the clear. Sysdig describes Crystalray malware. A massive phishing campaign is exploiting Microsoft SharePoint servers. Germany strips Huawei and ZTE from 5G infrastructure. Our guest is Brigid Johnson, Director of AWS Identity, on the importance of identity management. The EU tells X-Twitter to clean up its act or pay the price. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest At the recent AWS re:Inforce 2024 conference, N2K’s Brandon Karpf spoke with Brigid Johnson, Director of AWS Identity, about the importance of identity and where we need to go. You can watch a replay of Brigid’s session at the event, IAM policy power hour, here. Selected Reading AT&T Details Massive Breach of Customers' Call and Text Logs (Data Breach Today) NATO Set to Build New Cyber Defense Center (Infosecurity Magazine) New Presidential memorandum sets cybersecurity priorities for FY 2026, tasking OMB and ONCD to evaluate submissions (Industrial Cyber) mSpy Data Breach: Millions of Customers’ Data Exposed (GB Hackers) Advance Auto Parts’ Snowflake Breach Hits 2.3 Million People (Infosecurity Magazine) These Linksys routers are likely transmitting cleartext passwords (TechSpot) Known SSH-Snake bites more victims with multiple OSS exploitation (CSO Online) Beware of Phishing Attack that Abuses SharePoint Servers (Cyber Security News) Germany to Strip Huawei From Its 5G Networks (The New York Times) EU threatens Musk’s X with a fine of up to 6% of global turnover (The Record) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
AT&T Wireless announces a massive data breach.
NATO will build a cyber defense center in Belgium.
The White House outlines cybersecurity budget priorities.
A popular phone spyware app suffers a major data breach.
Some Linksys routers are sending user credentials in the clear.
Sysdig describes Crystal Ray malware.
A massive phishing campaign is exploiting Microsoft's SharePoint servers,
Germany strips Huawei and ZTE from 5G infrastructure,
our guest is Bridget Johnson, director of AWS Identity,
on the importance of identity management,
and the EU tells ex-Twitter to clean up its act or pay the price.
or pay the price.
It's Friday, July 12th, 2024.
I'm Dave Bittner, and this you for joining us.
Attackers have stolen logs of call and text interactions
from nearly every AT&T wireless customer, the company announced.
The data, which covers a six-month period in 2022, was taken from AT&T's
account on the data warehousing platform Snowflake. AT&T plans to notify around 110 million individuals
affected by the breach. The stolen data includes call and text records, phone numbers involved,
the count of interactions per day and month, and total talk time.
It also includes cell site ID numbers, which could help pinpoint users' approximate locations.
However, it does not contain sensitive information like subscriber names, dates of birth, social security numbers, or call timestamps.
Despite this, AT&T warns that publicly available tools could link phone
numbers to specific names. The breach, believed to have occurred between April 14th and April 25th
of this year, was first discovered on April 19th. AT&T immediately launched an investigation with
external cybersecurity experts and notified the U.S. Securities and Exchange Commission via
an 8K filing. The SEC mandates reporting material cybersecurity incidents within four days,
except under certain circumstances. The U.S. Department of Justice allowed a delay in public
disclosure during its investigation. AT&T has been cooperating with law enforcement and reports at least one
person has been apprehended. AT&T clarified that this incident is unrelated to a separate data
leak involving 70 million customers advertised by the Shiny Hunters Group in 2021. In other
snowflake-related news, Advanced Auto Parts disclosed a significant
data breach affecting over 2 million job applicants and current and former employees.
The breach, occurring from April 14th through May 24th of this year, compromised their Snowflake
environment. Exposed data includes full names, social security numbers, driver's licenses, and government IDs
Advanced Auto Parts is offering 12 months of free identity theft protection and credit monitoring through Experian
The incident was briefly acknowledged in a June Form 8K SEC filing NADO members have agreed to establish the NATO Integrated Cyber Defense Center at the Supreme Headquarters Allied Powers Europe in Belgium.
Announced during NATO's 75th anniversary summit in Washington, D.C., the NICC aims to enhance resilience and respond to digital threats. The center will house civilian and military experts from member states
and utilize advanced technology to improve situational awareness and collective cyber
defense. Its primary role is to inform military commanders about offensive cyber threats and
vulnerabilities, including those affecting civilian critical infrastructure. NATO has
been bolstering its cyber capabilities, conducting defense
exercises and developing rapid response strategies. The NICC and similar initiatives respond to rising
threats from countries like Russia and China, emphasizing the alliance's commitment to
cybersecurity. The Executive Office of the President issued a memorandum outlining cybersecurity priorities for the fiscal year 2026 budget.
The OMB and ONCD will review agency responses, identify gaps, and provide feedback to ensure submissions align with the national cybersecurity strategy.
cybersecurity strategy. Key priorities include defending critical infrastructure, disrupting threat actors, shaping market forces, investing in resilience, and forging international partnerships.
Agencies must also enhance cybersecurity transparency, modernize IT systems, and adopt
zero-trust architectures. Budget submissions should support cybersecurity supply chain risk management
and foster public-private sector collaboration. Agencies must update zero-trust plans within 120
days and ensure resources for critical infrastructure protection and workforce
development. Additionally, agencies are encouraged to support the secure use of open-source software and prepare for quantum-resistant cryptography.
MSpy, a popular phone spyware app, has suffered a major data breach, exposing the sensitive information of millions of customers.
BrainStack, MSpy's parent company, has not publicly acknowledged the breach.
Mstack, MSpy's parent company, has not publicly acknowledged the breach.
Disclosed by hacker Maya Arson-Krimu, the breach involved over 100 gigabytes of Zendesk records,
including millions of customer service tickets, email addresses, and email contents.
The breach affects customers globally, including significant clusters in Europe, India, Japan, South America, the UK, and the US.
Troy Hunt of Have I Been Pwned added 2.4 million unique email addresses from the breach to his site's catalog.
The breach underscores the risks of spyware, which can be misused for unauthorized surveillance. Users of Linksys VLA Pro 6E and 7 mesh routers should change their
passwords and Wi-Fi network names through an external web browser. These models transmit
sensitive data, including SSIDs and passwords, unencrypted to an Amazon server during initial
setup, potentially exposing users to man-in-the-middle attacks,
according to Belgian consumer organization Testancoup.
New patches have been released,
but Linksys has not publicly addressed
whether the latest firmware fixes the issue.
Crystal Ray, a threat actor known for using SSH-based malware,
has expanded its operations to over 1,500 victims, utilizing multiple open-source software tools, according to a study from Sysdig.
After initial access, Crystal Ray installs backdoors and spreads across networks using SSH Snake to gather credentials for sale.
using SSH Snake to gather credentials for sale.
Sysdig reports that Crystal Ray's activities now include mass scanning, exploiting vulnerabilities,
and deploying crypto miners for profit.
They leverage OSS tools like ZMAP, ASN, HTTPX, Nuclei, and Platypus,
modifying existing vulnerability proof of concepts for their payloads.
The group targets cloud service providers to steal credentials which are sold on black markets.
To defend against such attacks, Sysdig emphasizes proper vulnerability, identity, and secrets management
alongside effective detection and prevention tools.
Indicators of compromise are provided for reference in the report.
A massive phishing campaign is exploiting Microsoft SharePoint servers to host malicious PDFs with phishing links. The attack, observed by malware hunting service AnyRun, has surged with over 500 detections in the last 24 hours.
This campaign uses trusted SharePoint services, making it hard
to detect malicious intent. The phishing flow involves an email link directing to a SharePoint
PDF, a CAPTCHA prompt, and a fake Microsoft login page. Users should verify email sources,
check URLs, and enable multi-factor authentication. Indicators of phishing include unexpected SharePoint notifications,
mismatched file types, urgent requests, and suspicious login pages.
The German government has agreed with major telecom companies
to phase out critical Huawei and ZTE components
from their 5G infrastructure over the next five years.
Interior Minister Nancy Faeser announced that Deutsche Telekom, Vodafone, and Telefonica
would discontinue using Chinese-made components in core 5G network parts by the end of 2026,
and from antennas, transmission lines, and towers by the end of 2029. This decision
aims to protect Germany's economy and communication systems from potential cybersecurity risks.
Despite no specific evidence against Huawei, the move aligns Germany with other European
countries and the U.S., which have already restricted Huawei and ZTE equipment.
Coming up after the break, our guest, Bridget Johnson, Director of AWS Identity,
on the importance of identity
management. Stay with us. Do you know the status of your compliance controls right now? Like,
right now? We know that real-time visibility
is critical for security,
but when it comes to our GRC programs,
we rely on point-in-time checks.
But get this.
More than 8,000 companies
like Atlassian and Quora
have continuous visibility
into their controls with Vanta.
Here's the gist.
Vanta brings automation
to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies, access
reviews, and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives. Because when executives are compromised at home, your company is at risk. Thank you. Learn more at blackcloak.io.
At the recent AWS Reinforce 2024 conference, N2K's Brandon Karpf spoke with Bridget Johnson,
Director of AWS Identity, about the importance of identity and where things may be headed.
Here's their conversation.
I am here today at AWS Reinforce with Bridget Johnson.
Bridget is the director of AWS Identity, and we were just chatting about the importance of identity.
Identity in the language of CyberWire is a first principle of security. Can you give us, Bridget, your view of the state of identity today,
why it's so critical,
and your perspective on where we need to go with identity?
Yeah, so when you think about identity,
I like to think about who can access what
and under which conditions.
And there's a lot of resources on the cloud,
a lot of data on the cloud,
and you want to make sure
that you have the right access controls
and identity controls all the way down. And so that fine grain power allows for the right access
controls based on your business needs and your security use cases. So, I mean, taking it from
even the attacker perspective, right? How does identity actually provide us better security?
Well, when it comes to security, right, you want
to make sure that you specify who has access to what in the most fine-grained way so that
individuals, whether it's humans or your workloads, only have the access that they need and nothing
beyond that. And so when you think about, you want to reduce any surface of access and reduce broad access so that if somebody gets access that they
shouldn't to an identity, that they're only being used what they actually need.
You know, in my past, I've managed environments, I've managed workloads. You know,
one of the stressors that I always had was removing access or being more prescriptive
of who gets what when or what workloads have access to what when,
never really wanting to take that step and clean up the environment.
I was always afraid I was going to break something.
Have we solved that problem for the end user yet?
I think we're getting there, right?
We're taking the right strides to get closer.
So with Access Analyzer, we have a lot of data to help people see what is not used and what you can clean up safely.
And we're going to continue to invest in that area to build your confidence to restrict access and remove broad access. And so with Access Analyzer, we've been investing with unused access. And so
you can find unused access keys. You should feel pretty confident to delete those, especially if they
haven't been used for, I don't know, half a year, an entire year, unused roles. And then for your
individual roles, you want to remove unused access. And so the way I like to think about it is for
human access, maybe you do need that. Maybe you need it in dev. You want people to explore. You
want developers to have a little bit of freedom. But as you go up to production, both for human access and specifically for workload access, you should only be granting
access to what is actually needed. And using the data of essentially what you did use and then
crafting a policy that is fine-grained based on that data is a really powerful workflow.
You were shared before we started recording, you have some announcements about
Access Analyzer. Would you feel free to kind of share what's coming with Access Analyzer and how
folks can actually deploy this and use that in their environments?
Yeah. So when we talked with customers, a lot of them, you know, they're running environments
across multiple accounts and across their organization. And so with Access Analyzer,
starting in December, we launched unused access findings.
So you can turn on for your organization.
You can also turn on a member account
and it will identify a finding of unused access keys,
unused roles.
And for the roles that are being used,
it actually tells you what permissions you aren't using.
And so this gives you,
one, it helps you identify central security teams,
identify what is no longer used in my environment.
Maybe it no longer brings me joy and I can get rid of it.
And so what we're doing today here at Reinforce is we're extending that feature.
And now we're actually generating a policy for customers so that they can remediate that and remove that unused access.
Part of that you were, you mentioned there's a policy aspect.
There's recommendations as part of this.
There's policy as code integrated into this for an end user.
How can a user take this and then turn it into actual organizational policy
to affect the long-term identity security of an organization and their workloads?
Yeah, and so that's what most customers are going to want to do is they're going to want to get
these policies in the hands of developers, right? And so we are working with Access Analyzer to
bring policy analysis, policy generation closer to development because what we are seeing in
customers is they apply those guardrails and then they allow developers to deploy their own policies.
And that's great, right? This allows developers to move faster. And I actually love this evolution of permissions
in the cloud. And so, one, we have policy generation, so developers can run their workload
and then they can start pretty broad and then they can essentially generate a policy. So that
existed prior to today. But then they're probably going to get a knock on their door eventually
from central security teams saying like,
hey, you had this workload running for a while
and you need to scope down permissions.
It's too broad.
And that's where the policy recommendation will come into play.
And so the central security team can share that policy recommendation
with the developer.
The developer should look at it, verify it's right.
And we'll talk about the verifying stuff in a second and then put it in their pipeline to get to the right permission. You preempted my next question, which was,
of all the developers I know, every single one of them wants the keys to the kingdom. They want to
be totally in control. So this idea of pushing, you know, identity and control to the developers
and policy controls and allowing them to experiment and be fast and move fast. But I also know developers love taking more than they probably should, right? They always want more. They're always going to ask for more.
that central security team might maintain that level of control, you know, mitigate the risk of an overly zealous dev, which, you know, having been a dev in my own past, like I was that overly
zealous dev. Yeah. And I think that's fine for development, right? And so what we've seen
customers implement, and I love this story is, okay, your central security team, your job is to
apply those guardrails, right? Let those
devs have a little bit broader access in dev and let them bump up against those guardrails.
And that could be making sure that they can't write data outside the organization. That can
mean that they're not deleting critical resources like central security roles within their dev
account. Okay, so this is in dev. They need to explore. They need to kind of figure out what their workloads need. They need to try things out. That's encouraged. But then as you go up the stack, as you go into production, you want to verify that you're not granting broad access. You want to verify that there's not public access. You want to verify that you're trimming down permissions. And so this is where we're working
and we have a few checks,
we call them custom policy checks,
that we're allowing devs.
And what we're seeing is customers
are putting these in the CICD pipelines.
Okay.
And so you can say, for example,
maybe you start a little bit broad.
Hey, dev, this is what you need for your workload,
typical workload.
And you can check that as the dev updates the policy,
it doesn't grant new access.
Right. So, okay. Then it's like always either equal to or smaller than what might be your
default workload permissions. Okay. So, making sure that they're not fundamentally changing the
core policy, even though they might be experimenting and pushing that boundary.
Right. And then there's other checks that were added. So you can say check access not granted. So let's say in production, you have some really critical resources. I don't know, a DynamoDB table with all of your data in it. And you just want to say like, hey, make sure that the roles do not grant access to delete that table. That would be really not great if we had that access floating around. Even though you might have a guardrail around it, you just don't want it out there. And so that's another check you can do. And then we also have
checking for public access. And so you can have a resource-based policy and essentially make sure
it's not public, granting public access. You mentioned the importance, though,
of verifying these things. And I can see that as a core challenge. How do you actually,
verifying these things. And I can see that as a core challenge. How do you actually provably and with confidence verify that you've deployed these things correctly, that they're functioning
as they should? So how do you do that? Yeah. So all of those checks that I just mentioned
are based on automated reasoning. Really excited about automated reasoning. We try to work it into
a lot of the Access Analyzer products when it makes sense. So automated reasoning is essentially we turn AWS into math and then we can ask it questions. And that question is answered by
proof. And so when you say, hey, is this policy doesn't grant any new access? We actually know
provably that the policy that you're submitting does not grant new access. Okay. That's, I mean,
that's probably a little beyond my
knowledge of math, but I mean, math is fundamentally provable. So that's deployed right now in this
environment. Yep, yep. So you can use that. And we're seeing more and more customers put their
custom checks into CI CD pipelines. And yeah, it's backed by automated reasoning, and it's very,
very powerful. With the new launch with Access Analyzer that you're announcing today and backed, you know, verified through automated reasoning, as a user, how will I be interacting?
How will I see that verification?
What will be my experience as a user?
When you're using the custom checks, you pass in a policy and you pass in what you care about.
We will give you an answer.
And so you get a very easy answer, pass or fail.
And this is what makes it easy to put
into your CICD pipelines or in your tooling.
Some customers have built custom policy tooling as well.
And so that's all.
You don't deal with automated reasoning,
but you know that it's not just Bridget on the other end
reading your policy and giving an answer.
Got it.
So I don't have to worry about understanding the math or I just, it's the
fact that it is turning AWS into math based on a proof and verifying that what I've requested it
to do, it's actually doing that. Yes. Yes.
These are great developments in identity, but obviously identity isn't solved. We're not at
that panacea yet. So what is next? What are the next things
that we need to address with identity? Yeah. So I think when you look at how we've worked
with customers, we've invested in two areas. One is going to be that central security team.
Their job is to, yes, apply the guardrails. So we'll make that easier and easier. Their job is also to verify
that access is adhering to their security standards. So we're going to give more tools
to help them verify that information. And then with that, last year, we actually launched a
dashboard. And so that can help the central security team kind of identify maybe some
problem areas where they need to spend their time and attention. Maybe you'll see a bunch of unused access or some external access in dev and you're like,
that might be okay. But if it's in your prod environment for one of your critical resources,
you want to narrow in on that. So that dashboard can help. So we're going to continue to invest
in the central security team to help them identify where they need to spend their time
and attention. And we'll also help them identify and verify their access controls
are adhering to their security standards.
Then you want to essentially get access controls
adhering to the security standards
and getting to the right permissions
and the functional permissions
closer to development, right?
And so we're seeing this more and more.
So we'll provide more tools
to get to the right policy for these developers,
more tools to verify they're right policy for these developers, more tools to verify
they're adhering to security standards.
Because really our goal
is to enable developers
to have a lot of agility
when it comes to building on AWS
and setting the right access controls.
That is what we care about.
Bridget Johnson,
thank you so much for coming on the show.
We look forward to having you back.
Yeah, thanks.
That was great.
That's N2K's Brandon Karp with the story. Our thanks to Bridget Johnson from AWS for joining us.
Cyber threats are evolving every second, and staying ahead is more than just a challenge. Thank you. designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant. And finally, the European Commission has formally told Elon Musk's social media platform,
formerly Twitter, that it believes the company is breaching the EU's tech regulations.
This revelation follows a December investigation and could
lead to fines of up to 6% of ex-Twitter's global annual turnover. The Commission's
preliminary findings accuse ex-Twitter of breaking Digital Services Act rules on dark patterns,
advertising transparency, and data access for researchers. Ex-Twitter's sale of the blue checkmark for verification has been deemed deceptive,
with malicious actors using it to fool users.
The platform's non-compliance with EU transparency laws for ads also ruffled feathers,
as its ad repository apparently rivals a labyrinth in complexity.
Moreover, ex-Twitter's data access policies for researchers
were likened to a Herculean challenge, with exorbitant fees and restricted API access,
making it nearly impossible for researchers to do their job. Terry Breton, the commissioner for the
internal market, hinted at significant fines and mandatory changes if these findings hold.
While TikTok and Meta are also under the EU's magnifying glass,
ex-Twitter has the option to appeal and suggest remedies. Interestingly, since going private,
ex-Twitter no longer discloses its revenues, although Musk admitted to declining earnings last year.
When it comes to compliance, Mr. Musk's ex-Twitter seems to be lost in cyberspace.
And that's the Cyber Wire. For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
Be sure to check out this weekend's Research Saturday and my conversation with Ashir Malhotra and Vitor Ventura from Cisco Talos.
We're discussing Operation Celestial Force employs mobile and desktop malware to target Indian entities.
That's Research Saturday. Check it out.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K Cyber Wire
is part of the daily routine
of the most influential leaders and operators
in the public and private sector
from the Fortune 500
to many of the world's preeminent
intelligence and law enforcement agencies.
N2K makes it easy for companies
to optimize your biggest investment,
your people.
We make you smarter about your teams
while making your teams smarter.
Learn how at n2k.com.
This episode was produced by Liz Stokes.
Our mixer is Trey Hester, with original music and sound design by Elliot Peltzman.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilby is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here next week.
Thank you. and data into innovative uses that deliver measurable impact. Secure AI agents connect,
prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.