Table of Contents

1. 700,000 TikTok Accounts in Turkey Compromised

2. Ongoing Repercussions from MOVEit Hack Bring Up Software Supply Chain Concerns

3. “Fourth Amendment is Not For Sale Act” Works to Protect Data From Law Enforcement

4. Stalkerware App Made Millions by Forging Identities

5. VirusTotal Apologizes for Human Error-Driven Data Exposure

6. Typo Leads to Continuing Military Data Leak

7. Dutch Patient Data at Risk for Data Leakage

8. Amazon Van Surveillance Camera Footage Ending Up On Reddit

9. IT Firm JumpCloud Experiences Security Breach by Unnamed Nation-State

10. Biden-Harris Administration Proposes “U.S. Cyber Trust Mark'“

1. 700,000 TikTok Accounts in Turkey Compromised

What Happened:

Weeks before the presidential election in Turkey, around 700,000 TikTok accounts in Turkey had their private information and control compromised

What To Know:

• The vulnerability came from TikTok’s “grey routing” of SMS messages through insecure channels during an account verification step

• Grey routing of a message is when a message bypasses international messaging laws and fees and travels through illegal channels before reaching its destination. Companies do this to keep down costs and avoid guardrails.

• Prior to the breach, TikTok was warned by the U.K.’s National Cyber Security Centre that this practice posed cybersecurity threats

• This is the largest company-confirmed compromise of TikTok

• This comes at a time when TikTok and parent company ByteDance have been facing increased scrutiny for shaky security practices

Business Impact:

Companies utilizing grey routing should be wary of the cybersecurity threats inherent to this practice and consider alternate modes of account verification

What to Do:

• In response, TikTok introduced passkeys so users could log into their accounts without using an SMS code. Users of TikTok should consider opting out of SMS verifications for their accounts

For more information, check out this article.

2. Ongoing Repercussions from MOVEit Hack Bring Up Software Supply Chain Concerns

What Happened:

The CIOp extortion group responsible for the MOVEit hack continues to post the names of hundreds of companies, state and local governments, universities, and other organizations on its dark web leak site with an extortion threat to leak data of named victims if payment demands are not made.

What to Know:

• The breach initially occurred in May and there are no signs of a slow down in reported incidents.

• With about 369 organizations confirmed to be affected by the breach, this is the most widespread file transfer hack ever recorded. Most of the victims are direct Progress Software customers or entities that purchased or used its file transfer service.

• There are at least 73,000 entities that tech-solution company Exiger is “moderately confident” could inadvertently have exposed their data to theft in the hack due to relationships with third-party providers

What to Do:

• Reconsider the avenue through which you transfer files for your business and double check for safety and security of data transfer

• Users of Progress Software are especially vulnerable and should consult a cybersecurity expert to see if they are victims of a data leak

• Consider software supply chain vulnerabilities that your business may face

• Many of the victims don’t use MOVEit Transfer, but they send their data to third-party providers who do. Consider who your third-, fourth-, or fifth-party providers may be and understand how they handle the data you may be sending them.

  For more information, check out this article.

3. “Fourth Amendment is Not For Sale Act” Works to Protect Data From Law Enforcement

What Happened:

The House Judiciary Committee advanced the “Fourth Amendment is Not for Sale Act,” legislation that will prevent data brokers from selling consumer data to government agencies.

What to Know:

• Proponents of the legislation argue that purchases of data by government agencies breach the Fourth Amendment. Such purchases allow law enforcement to bypass the judicial system’s requirement for a warrant

• Without this ruling, information like location and internet records can be purchased directly from data brokers. This allows law enforcement to evade the warrant process required to get the same information from phone companies directly

• With bipartisan support, this ruling suggests both sides agree that law enforcement’s access to digital data needs to be regulated

What to Do:

• Keep an eye out as this continues to move forward. Eventually, the bill might be included in a bigger surveillance reform package

For more information, check out this article.

4. Stalkerware App Made Millions by Forging Identities

What Happened:

TheTruthSpy, a collection of Android “stalkerware” surveillance apps, has compromised hundreds of thousands of phones.

What to Know:

• Vietnam-based startup 1Byte is behind the development of TheTruthSpy. To go under the radar, 1Byte devised a network of fake identities with forged American passports to cash out customer payments into bank accounts that at the surface level looked like accounts owned by Americans but that 1Byte actually owned. That way, the fake sellers would take the fall if the operation was discovered by authorities. Through an intricate system of fake identities, 1Byte made millions.

• TheTruthSpy’s database contains a record of close to 400,000 victims

• 1Byte faced constant difficulty in finding a way to process payments and eventually built its own checkout website called Affiligate which quickly began handling the majority of customer payments for TheTruthSpy and other cloned apps. It was designed to look and feel like a legitimate software reseller marketplace to outsiders while acting as a payment processor for 1Byte’s stalkerware products. However, Affiligate still needed to rely on an outside company for credit card payments and eventually use Stripe to process them at scale.

• 1Byte’s forgeries were impressive: passports, driver licenses, and proof of U.S. residency were forged; email addresses were used to establish merchant accounts; burner phone numbers were acquired. A deeper dive shows that some of the home addresses 1Byte listed for its employees don’t exist; some SSNs belong to deceased persons; and forged government documents contain typos

• 1Byte hosted the phone data in Texas web hosting data centers

• Stalkerware developers and companies are notoriously susceptible to hacks

What to Do:

• TechCrunch created a free tool that allows anyone to check if their phone has been compromised: https://techcrunch.com/pages/thetruthspy-investigation/. Consider checking your devices

  For more information, check out this article.

5. VirusTotal Apologizes for Human Error-Driven Data Exposure

What Happened:

VirusTotal issued an apology for the recent customer data exposure incident. The incident was due to human error and not related to a cyberattack.

What to Know:

• An employee accidentally uploaded a file containing information about customers (including names of companies, associated VirusTotal group names, and email addresses of group admin) to the VirusTotal platform. It was removed within one hour of its posting.

• The file was only accessible to partners and cybersecurity analysts who hold premium accounts. No anonymous user or malicious entity would have had access to the premium platform and thus would have been able to leak the data.

Business Impact:

• Businesses should take this as a reminder to regularly schedule training sessions with employees in order to mitigate opportunities for human error driven data spills

What to Do:

• Consider implementing internal processes and technical controls to improve security of customer data

• Restrict employee access to customer data to those employee for whom it is essential to their role

To view the apology, click here.

6. Typo Leads to Continuing Military Data Leak

What Happened:

Millions of US military emails have been misdirected to Mali through a “typo leak.”

What to Know:

• The suffix to all US military email addresses is .MIL; however, it is commonly misspelled as the country identifier for Mali, .ML, and as a result emails are sent to that domain instead of the military domain. The problem was first identified about a decade ago.

• Highly sensitive information like diplomatic documents, tax returns, passwords, and travel details of top officers have been breached. Additional email contents include things like medical data, crew lists for ships, photos of bases, naval inspection reports, bullying investigations, and financial records. None of the information was marked classified.

• Mali’s government is closely allied with Russia

  For more information, check out this article.

  ---

7. Dutch Patient Data at Risk for Data Leakage

What Happened:

Dutch family doctor medical records are stored on servers owned by a commercial software company without some patients’ knowledge.

What to Know:

• Canadian-owned software company Calculus allows doctors to share encrypted patient information with other doctors in the region which can help facilitate treatment for certain patients. The problem is that some doctors are claiming that all patient files are being copied, not just those necessary

• There is a risk of a massive data leak because Calculus is storing too much data in one place

8. Amazon Van Surveillance Camera Footage Ending Up On Reddit

What Happened:

Anonymous reddit users have been posting video footage from in-van cameras that Amazon uses to monitor drivers to the subreddit r/AmazonDSPDrivers.

What to Know:

• Amazon delivery service partners (DSP) are small-business contractors responsible for Amazon’s door-to-door deliveries. They select routes, dispatch drivers, and monitor their actions on the road with cameras

• Amazon drivers have to sign a “biometric consent” form that allows them to be monitored while on the job

• It isn’t clear who exactly is posting these videos or how they have access, but they seem to be DSP employees who have access to the camera stream

• The cameras Amazon use are AI-enabled to monitor drivers’ speed, location, and actions on the road

Business Impact:

Employees are becoming ever-more concerned with data breaches at the hands of their parent companies and may become less willing to work for companies that violate their privacy.

What to Do:

• If you’re a business owner, make sure your employees are aware of their privacy rights and of company data protection policies.

• To prevent similar leakages to DSP, consider scheduling regular training sessions with employees about the importance of protected company data

For more information, check out this article.

9. IT Firm JumpCloud Experiences Security Breach by Unnamed Nation-State

What Happened:

Cloud-based IT management service JumpCloud experienced a security breach beginning on June 22nd and discovered on June 27th.

What to Know:

• The breach was done by hackers working for a nation-state and started as a spear-phishing campaign

• A spear-phishing campaign aims malicious emails at specific individuals or organizations in order to steal sensitive information or infect a device with malware

• JumpCloud implemented its incidence response plan, rotated account credentials, and rebuilt systems

• The attack was targeted and limited to specific customers

What to Do:

• Have an incident response plan in place in the event of a breach and consider working with an incident response partner to analyze systems and logs for suspicious activity

• Post-investigation, JumpCloud created a list of malicious IP addresses and hashes to block and avoid at all costs in order to add protection to your Endpoint Detection and Response and perimeter security solutions. If you utilize these workflows, access the list and further secure your business environment here.

• Consider increased training sessions for employees centered on phishing attacks

To learn more, check out this article.

10. Biden-Harris Administration Proposes “U.S. Cyber Trust Mark“

What Happened:

The U.S. Cyber Trust Mark program will raise the bar for cybersecurity across common devices and help Americans more easily choose smart devices that are safer and less vulnerable to cyberattacks.

What to Know:

• Under the new program consumers would see a new “U.S. Cyber Trust Mark” applied to products that meet established cybersecurity criteria. Criteria include things like requirements for unique and strong default passwords, data protection, software updates, and incident detection capabilities

• The program is voluntary and has received support from companies like Amazon, Best Buy, Google, LG Electronics U.S.A., Logitech, and Samsung

Business Impact:

• If passed, this will likely increase the standard to which smart technology is held and will make it easier for consumers to compare and rank product-security across brands before purchase. In response, it’s likely that businesses supplying these products will need to increase security process transparency and maintain high levels of security in order to meet what may become an industry norm of receiving this U.S. Cyber Trust Mark on their products

• This would make it much easier for consumers to seek and feel confident about products that meet at least a baseline level of security

• This would be beneficial for businesses selling smart devices as it helps customers to differentiate between trustworthy products on the market

What to Do:

• As a next step the FCC is expected to seek public comment, Keep up to date on the program as opinions are shared and as development continues

For more information, check out this White House briefing.