Hackers publish data allegedly stolen from MobiKwik. Study finds European telcos leave user data vulnerable. Ubiquiti breached through exposed credentials.

At a glance.

• MobiKwik investigates alleged data breach.
• European telcos' data may be vulnerable to exposure.
• Ubiquiti and the risk of stolen credentials.
• Data taken from Accellion customers dumped online.
• A tax season threat to school and university data.

Hackers publish data allegedly stolen from MobiKwik.

TechCrunch reports that threat actors have exposed data allegedly belonging to Indian mobile payments startup MobiKwik. Hackers on the dark web claim they’ve obtained 8.2 terabytes of MobiKwik user data including hashed passwords, partial credit card numbers, and identification documents like government-issued Aadhaar card or PAN ID numbers belonging to 3.5 million users. A cybercriminal is selling access to the database on the dark web for $70,000. MobiKwik, however, denies that the data is theirs or that a breach ever occurred. As the firm told MoneyControl, “Some media-crazed so-called security researchers have repeatedly attempted to present concocted files wasting precious time of our organization as well as members of the media. We thoroughly investigated and did not find any security lapses.” The Free Software Movement of India (FSMI) has filed a complaint with the Indian Computer Emergency Response Team (CERT-IN) urging them to investigate the alleged breach, Hindu Businessline reports. FSMI stated, “The data is available on the dark web. Mobikwik being a digital wallet, the breach would expose its customers to cyber security attacks.” 

Study finds European telcos leave user data vulnerable.

After analyzing the leading mobile service providers in seven European countries, the researchers at TalaSecurity have found that insecure website supply chains are exposing user data to potential compromise, MarTech Series reports. Forms used to collect mobile user data like banking information and passport numbers are accessible to an average of 19 third-parties, leaving the data vulnerable to Magecart attacks. The companies’ sites had extremely ineffective security measures: on a 100-point scale (where a 50 indicates limited control) the average for the providers in question was a meager 4.5 points. All of the sites were susceptible to the most prevalent site attack method, cross-site scripting, and the average number of third-party JavaScript integrations on the sites was 162. Without proper mitigation, every piece of JavaScript code running from vendors in the website’s supply chain is a possible chink in the armor, allowing potential client-side attacks. Tala Security’s VP of Products Deepika Gajaria explained, “While most online businesses do a great job protecting data after the user has entered it, few seem to be aware of data leakage as an unintended consequence of the dynamic, rich website experience telcos are known for.”

Ubiquiti breached through exposed credentials.

An anonymous source blows the whistle on Ubiquiti. The California-based wireless device manufacturer, announced in January that their third-party cloud provider experienced a data breach that resulted in the exposure of customer account data. KrebsOnSecurity reports that an anonymous source has now come forward claiming that the breach was worse than Ubiquiti implied. Though Ubiquiti implied the cloud provider was the target of the attack and that Ubiquiti was not at fault, the source alleges that in reality, Amazon Web Services (AWS) is the “provider” referenced, and that the hackers actually targeted Ubiquiti, obtaining full administrative access to their AWS storage bucket. While AWS secures the server hardware, it is the responsibility of the client (in this case Ubiquiti) to secure the actual data stored there. In a letter to the European Data Protection Supervisor, the source wrote: “It was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers. The breach was massive, customer data was at risk, access to customers’ devices deployed in corporations and homes around the world was at risk.” 

Matt Lock Technical Director at Varonis offered the following comment, noting the challenge of dealing with third-party risk:

“The whistleblower’s claims that attackers found credentials for the company’s cloud services accounts on an employee’s password manager shows you’re only as strong as your weakest link. You can be doing everything right with your security and still be at risk. In this case, you may think you are safer by using local storage for your home video monitoring, but that isn't necessarily true. IoT attacks erase boundaries between your home network and every provider you allow into it. Ultimately you must ask yourself if you trust your provider – and their provider--to keep the bad guys out."

Robert Meyers, channel solutions architect at One Identity, noted the way in which IoT-provider breaches cascade across organizations and sectors, and offered advice on how to respond: 

“When a major IoT provider has a breach, it reaches across industries and brings up questions of privacy and security. Well, it happened. While Ubiquiti was breached in January, details that have come to light this week highlight the importance of what can happen when you do not manage three areas with the concept of both privacy and security: privileged access management, log management, and least privileged access. Here are some observations and recommendations:

"Today if you have privileged accounts, they simply need to be managed like privileged accounts. They need to have multiple layers of security. They need to have auditing, which happens in real-time for at least the basics. Access for privileged use has to be restricted to the minimum access required to do the job, yes that touches on least privilege which goes hand in hand. If you don’t manage your privileged accounts in business, then you are ignoring security.

"Now if log management was a control point, it could have been caught quicker, and if the logs were managed, they would allow a live track down of who did the deed, instead of the waffling we have seen.

"And least privilege. Companies need to stop making universal access accounts. You can only breach what you can access. So don’t give people access to what may be tens of millions of accounts… and whatever else those files included.

"In the world of privacy laws and compliance requirements, you need a data lifecycle for all your data. It should cover creation, use, storage, and deletion. And all this should include pseudonymization of the data when it cannot be anonymized, in addition to encryption and general security.

"It’s time to get with the times and not be stuck announcing breaches, let alone for details needing to rely on a whistleblower that speaks on the condition of anonymity for fear of retribution. Secure your company, and be able to stand up tall and say what your company has done for its customers.”

PJ Norris, senior systems engineer at Tripwire, sees a problem with the cloud customer as well as the cloud provider:

“[In] this particular case, Ubiquiti suggested the fault was with a cloud provider, when in fact the faults appear to be Ubiquiti. They failed to take responsible actions and decided to play down the breach for the sake of their share price. This is a prime example where the organisation is responsible for the security controls within Cloud environments and not necessarily the Cloud Service Provider. The CSP provides the platform and tools for organisations to secure their environments and should not be held accountable for weakened security. Hardening systems is the best way for organizations to secure their cloud and prevent inadvertent exposure.

"Furthermore, the report suggests that the actions the organisation took with their customers was not the right one. Instead of asking them to change their password or enable 2FA, the company should have forced a password reset, since the attackers already the secure keys.

"Another highlight from the report shows that the breach came from someone’s LastPass account, where 'all the eggs were placed in one basket.' 2-factor authentication or additional security controls should be put in surrounding the storage of passwords. Credentials to critical systems should be stored using an enterprise-grade password vault.”

Stolen Shell data exposed after Accellion breach.

As the fallout from the Accellion breach continues to impact the cloud service provider’s clients, the FIN11 threat group responsible for the breach has published data allegedly stolen from fuel giant Shell, Security Week reports. As the CyberWire noted, Shell disclosed last week that they were among the entities compromised in the breach of Accellion’s File Transfer Appliance file sharing service, stating that the attackers stole corporate and employee data. Now a portion of the stolen files have appeared on a Tor-based ransomware leak website. Shell is not the first victim of the Accellion breach to have their data exposed on FIN11’s leak site. Not long after the University of Miami Health System admitted they had been impacted by the breach, the hackers published their patient data. Other victims include cloud security firm Qualys, grocery chain Kroger, and the Office of the Washington State Auditor.

IRS warns that cybercriminals can be expected to go after schools and universities.

One might not normally associate tax season with phishing schemes going after academic institutions, but the US Internal Revenue Service warns that indeed this is a problem. The IRS has noticed an opportunistic surge in phishing emails, usually attempting to impersonate the IRS, targeting recipients whose email addresses use the dot edu top-level domain. "The suspect emails display the IRS logo and use various subject lines such as 'Tax Refund Payment' or 'Recalculation of your tax refund payment,' the IRS warns, explaining that, "It asks people to click a link and submit a form to claim their refund." Needless to say, don't click that link. That's not how the IRS would communicate with taxpayers in any case.

Niamh Muldoon, global data protection officer at OneLogin, wrote:

 “Students and staff are not only dealing with the chaos of the pandemic, but now are being targeted in relation to their tax refunds. Distractions are plentiful as people start to reconnect and adjust to hybrid learning and schedules. Information floods in, typically by email and collaboration tooling. Unfortunately, recipients are often ill-prepared to determine if devices are configured with security in mind.

"Seeing that cybercriminals have consistently targeted academic institutions through various threat vectors including phishing campaigns, it would be wise for these education institutions to offer support and training. The training really should be provided prior to providing devices and online system access. It is only through security awareness training that students and staff can make better informed decisions. Partnering with IAM trusted providers to implement two-factor authentication reduces associated risks of unauthorized access to education devices and systems.”

 Chris Hauk, consumer privacy champion at Pixel Privacy, points to the convergence of tax season with the current criminal fashion for going after schools and universities:

“It's tax season, and of course the bad actors of the world are trying to take advantage of it. Combine this with their current infatuation with targeting educational institutions, and users in .edu domains need to stay ever alert. Users need to keep in mind that they should never open an attachment or click a link in an unrequested email. Also, remember that the IRS does not normally initiate contact with taxpayers by email, nor does it send text messages or contact through social media channels.”

Comments are closed.