July 2023 Edition
Table of Contents
700,000 TikTok Accounts in Turkey Compromised
Ongoing Repercussions from MOVEit Hack Bring Up Software Supply Chain Concerns
“Fourth Amendment is Not For Sale Act” Works to Protect Data From Law Enforcement
Stalkerware App Made Millions by Forging Identities
VirusTotal Apologizes for Human Error-Driven Data Exposure
Typo Leads to Continuing Military Data Leak
Dutch Patient Data at Risk for Data Leakage
Amazon Van Surveillance Camera Footage Ending Up On Reddit
IT Firm JumpCloud Experiences Security Breach by Unnamed Nation-State
Biden-Harris Administration Proposes “U.S. Cyber Trust Mark'“
1. 700,000 TikTok Accounts in Turkey Compromised
What Happened:
Weeks before the presidential election in Turkey, around 700,000 TikTok accounts in Turkey had their private information and control compromised
What To Know:
The vulnerability came from TikTok’s “grey routing” of SMS messages through insecure channels during an account verification step
Grey routing of a message is when a message bypasses international messaging laws and fees and travels through illegal channels before reaching its destination. Companies do this to keep down costs and avoid guardrails.
Prior to the breach, TikTok was warned by the U.K.’s National Cyber Security Centre that this practice posed cybersecurity threats
This is the largest company-confirmed compromise of TikTok
This comes at a time when TikTok and parent company ByteDance have been facing increased scrutiny for shaky security practices
Business Impact:
Companies utilizing grey routing should be wary of the cybersecurity threats inherent to this practice and consider alternate modes of account verification
What to Do:
In response, TikTok introduced passkeys so users could log into their accounts without using an SMS code. Users of TikTok should consider opting out of SMS verifications for their accounts
For more information, check out this article.
2. Ongoing Repercussions from MOVEit Hack Bring Up Software Supply Chain Concerns
What Happened:
The CIOp extortion group responsible for the MOVEit hack continues to post the names of hundreds of companies, state and local governments, universities, and other organizations on its dark web leak site with an extortion threat to leak data of named victims if payment demands are not made.
What to Know:
The breach initially occurred in May and there are no signs of a slow down in reported incidents.
With about 369 organizations confirmed to be affected by the breach, this is the most widespread file transfer hack ever recorded. Most of the victims are direct Progress Software customers or entities that purchased or used its file transfer service.
There are at least 73,000 entities that tech-solution company Exiger is “moderately confident” could inadvertently have exposed their data to theft in the hack due to relationships with third-party providers
What to Do:
Reconsider the avenue through which you transfer files for your business and double check for safety and security of data transfer
Users of Progress Software are especially vulnerable and should consult a cybersecurity expert to see if they are victims of a data leak
Consider software supply chain vulnerabilities that your business may face
Many of the victims don’t use MOVEit Transfer, but they send their data to third-party providers who do. Consider who your third-, fourth-, or fifth-party providers may be and understand how they handle the data you may be sending them.
For more information, check out this article.
3. “Fourth Amendment is Not For Sale Act” Works to Protect Data From Law Enforcement
What Happened:
The House Judiciary Committee advanced the “Fourth Amendment is Not for Sale Act,” legislation that will prevent data brokers from selling consumer data to government agencies.
What to Know:
Proponents of the legislation argue that purchases of data by government agencies breach the Fourth Amendment. Such purchases allow law enforcement to bypass the judicial system’s requirement for a warrant
Without this ruling, information like location and internet records can be purchased directly from data brokers. This allows law enforcement to evade the warrant process required to get the same information from phone companies directly
With bipartisan support, this ruling suggests both sides agree that law enforcement’s access to digital data needs to be regulated
What to Do:
Keep an eye out as this continues to move forward. Eventually, the bill might be included in a bigger surveillance reform package
For more information, check out this article.
4. Stalkerware App Made Millions by Forging Identities
What Happened:
TheTruthSpy, a collection of Android “stalkerware” surveillance apps, has compromised hundreds of thousands of phones.
What to Know:
Vietnam-based startup 1Byte is behind the development of TheTruthSpy. To go under the radar, 1Byte devised a network of fake identities with forged American passports to cash out customer payments into bank accounts that at the surface level looked like accounts owned by Americans but that 1Byte actually owned. That way, the fake sellers would take the fall if the operation was discovered by authorities. Through an intricate system of fake identities, 1Byte made millions.
TheTruthSpy’s database contains a record of close to 400,000 victims
1Byte faced constant difficulty in finding a way to process payments and eventually built its own checkout website called Affiligate which quickly began handling the majority of customer payments for TheTruthSpy and other cloned apps. It was designed to look and feel like a legitimate software reseller marketplace to outsiders while acting as a payment processor for 1Byte’s stalkerware products. However, Affiligate still needed to rely on an outside company for credit card payments and eventually use Stripe to process them at scale.
1Byte’s forgeries were impressive: passports, driver licenses, and proof of U.S. residency were forged; email addresses were used to establish merchant accounts; burner phone numbers were acquired. A deeper dive shows that some of the home addresses 1Byte listed for its employees don’t exist; some SSNs belong to deceased persons; and forged government documents contain typos
1Byte hosted the phone data in Texas web hosting data centers
Stalkerware developers and companies are notoriously susceptible to hacks
What to Do:
TechCrunch created a free tool that allows anyone to check if their phone has been compromised: https://techcrunch.com/pages/thetruthspy-investigation/. Consider checking your devices
For more information, check out this article.
5. VirusTotal Apologizes for Human Error-Driven Data Exposure
What Happened:
VirusTotal issued an apology for the recent customer data exposure incident. The incident was due to human error and not related to a cyberattack.
What to Know:
An employee accidentally uploaded a file containing information about customers (including names of companies, associated VirusTotal group names, and email addresses of group admin) to the VirusTotal platform. It was removed within one hour of its posting.
The file was only accessible to partners and cybersecurity analysts who hold premium accounts. No anonymous user or malicious entity would have had access to the premium platform and thus would have been able to leak the data.
Business Impact:
Businesses should take this as a reminder to regularly schedule training sessions with employees in order to mitigate opportunities for human error driven data spills
What to Do:
Consider implementing internal processes and technical controls to improve security of customer data
Restrict employee access to customer data to those employee for whom it is essential to their role
To view the apology, click here.
6. Typo Leads to Continuing Military Data Leak
What Happened:
Millions of US military emails have been misdirected to Mali through a “typo leak.”
What to Know:
The suffix to all US military email addresses is .MIL; however, it is commonly misspelled as the country identifier for Mali, .ML, and as a result emails are sent to that domain instead of the military domain. The problem was first identified about a decade ago.
Highly sensitive information like diplomatic documents, tax returns, passwords, and travel details of top officers have been breached. Additional email contents include things like medical data, crew lists for ships, photos of bases, naval inspection reports, bullying investigations, and financial records. None of the information was marked classified.
Mali’s government is closely allied with Russia
For more information, check out this article.
7. Dutch Patient Data at Risk for Data Leakage
What Happened:
Dutch family doctor medical records are stored on servers owned by a commercial software company without some patients’ knowledge.
What to Know:
Canadian-owned software company Calculus allows doctors to share encrypted patient information with other doctors in the region which can help facilitate treatment for certain patients. The problem is that some doctors are claiming that all patient files are being copied, not just those necessary
There is a risk of a massive data leak because Calculus is storing too much data in one place
8. Amazon Van Surveillance Camera Footage Ending Up On Reddit
What Happened:
Anonymous reddit users have been posting video footage from in-van cameras that Amazon uses to monitor drivers to the subreddit r/AmazonDSPDrivers.
What to Know:
Amazon delivery service partners (DSP) are small-business contractors responsible for Amazon’s door-to-door deliveries. They select routes, dispatch drivers, and monitor their actions on the road with cameras
Amazon drivers have to sign a “biometric consent” form that allows them to be monitored while on the job
It isn’t clear who exactly is posting these videos or how they have access, but they seem to be DSP employees who have access to the camera stream
The cameras Amazon use are AI-enabled to monitor drivers’ speed, location, and actions on the road
Business Impact:
Employees are becoming ever-more concerned with data breaches at the hands of their parent companies and may become less willing to work for companies that violate their privacy.
What to Do:
If you’re a business owner, make sure your employees are aware of their privacy rights and of company data protection policies.
To prevent similar leakages to DSP, consider scheduling regular training sessions with employees about the importance of protected company data
For more information, check out this article.
9. IT Firm JumpCloud Experiences Security Breach by Unnamed Nation-State
What Happened:
Cloud-based IT management service JumpCloud experienced a security breach beginning on June 22nd and discovered on June 27th.
What to Know:
The breach was done by hackers working for a nation-state and started as a spear-phishing campaign
A spear-phishing campaign aims malicious emails at specific individuals or organizations in order to steal sensitive information or infect a device with malware
JumpCloud implemented its incidence response plan, rotated account credentials, and rebuilt systems
The attack was targeted and limited to specific customers
What to Do:
Have an incident response plan in place in the event of a breach and consider working with an incident response partner to analyze systems and logs for suspicious activity
Post-investigation, JumpCloud created a list of malicious IP addresses and hashes to block and avoid at all costs in order to add protection to your Endpoint Detection and Response and perimeter security solutions. If you utilize these workflows, access the list and further secure your business environment here.
Consider increased training sessions for employees centered on phishing attacks
To learn more, check out this article.
10. Biden-Harris Administration Proposes “U.S. Cyber Trust Mark“
What Happened:
The U.S. Cyber Trust Mark program will raise the bar for cybersecurity across common devices and help Americans more easily choose smart devices that are safer and less vulnerable to cyberattacks.
What to Know:
Under the new program consumers would see a new “U.S. Cyber Trust Mark” applied to products that meet established cybersecurity criteria. Criteria include things like requirements for unique and strong default passwords, data protection, software updates, and incident detection capabilities
The program is voluntary and has received support from companies like Amazon, Best Buy, Google, LG Electronics U.S.A., Logitech, and Samsung
Business Impact:
If passed, this will likely increase the standard to which smart technology is held and will make it easier for consumers to compare and rank product-security across brands before purchase. In response, it’s likely that businesses supplying these products will need to increase security process transparency and maintain high levels of security in order to meet what may become an industry norm of receiving this U.S. Cyber Trust Mark on their products
This would make it much easier for consumers to seek and feel confident about products that meet at least a baseline level of security
This would be beneficial for businesses selling smart devices as it helps customers to differentiate between trustworthy products on the market
What to Do:
As a next step the FCC is expected to seek public comment, Keep up to date on the program as opinions are shared and as development continues
For more information, check out this White House briefing.