AT&T leak and Snowflake account vulnerability
mobile subscribers, not counting traditional telephony users. What leaked was what can be called logs or metadata: the database contains records of incoming and outgoing calls, their date and duration, phone numbers, data on received and sent SMS. The company learned of the leak back in April and, according to US law, was supposed to disclose the information publicly, but received a reprieve from the regulator due to the sensitivity of the information.
The incident is closely related to other corporate data breaches that occurred in April and May of this year and involved attacks on poorly protected accounts at cloud hosting service Snowflake. In June reported that attackers had gained access to data from 165 Snowflake clients, including, for example, the Spanish bank Santander, net Advance Auto Parts stores and concert ticketing service Ticketmaster. data According to Mandiant, the large-scale attack was not caused by any vulnerability in the cloud service. All affected accounts were not properly protected: they could be accessed using a simple login-password pair, and the multi-factor authentication tools available on the service were not activated. Account data fell into the hands of attackers as a result of malware.
The AT&T incident stands out for the scale of the leak and the sensitivity of the data that fell into the hands of the attackers. Information about calls and SMS messages, in theory, should be maximally protected and provided only at the request of law enforcement agencies. It can be assumed that the use of Snowflake was a simple solution to some technical problem, which also turned out to be extremely unsafe. Official notification AT&T is providing a few more details to regulators. AT&T learned of the breach on April 19, but the data breach continued through April 25. The exposed database contained metadata from May 1 through October 31, 2022, and a separate period of January 2, 2023.
On July 14, the story took an unexpected turn: WIRED published information that on May 17, AT&T allegedly paid the hackers a ransom of 5.7 bitcoins, or about $370,000 at the time. In exchange, the company's representatives were provided with a video recording of the hacker allegedly deleting the only complete copy of the leaked data. However, it is possible that the database was stolen by one cybercriminal, and the money was received by another person. In any case, samples from the large database have already been distributed and may end up in the public domain. AT&T promised to notify customers whose data was in the leaked database and provided servicewhich allows you to check what information exactly could have fallen into the hands of intruders.
Before the AT&T breach, the most serious breach of an unsecured Snowflake database occurred at Ticketmaster. The hackers who gained access to their database demanded a ransom and periodically published “excerpts” of the leak, including barcodes for concert tickets, to the public.
What else happened?
Critical vulnerability discovered in the Exim email forwarding agent. The error theoretically allows malicious attachments to be delivered to subscribers.
Researchers at Kaspersky Lab celebratethat mass phishing attacks have begun to use methods previously seen in campaigns targeting a specific organization. As an example, the article cites a fake letter allegedly from the HR department with a link to a phishing page. The goal of the attackers is to steal the password for a corporate account in Microsoft services. This is a well-developed phishing attack, which is sent out en masse.
Last week was wide was discussed Chrome browser feature: it gives exclusive access to processor load data to Google services. This is done for seemingly good purposes: for example, the Google Meet service can use this information to change the bitrate of transmitted video data, ensuring optimal performance. The problem is that other sites do not have access to such information, which provides Google with a certain competitive advantage and can be regarded as unfair business practice. The code responsible for this functionality located is open source and also works in other browsers based on the Chromium engine.
In the previous digest, we wrote that the Signal client for macOS stores the correspondence archive and the key for encrypting data in plain text. The problem has been known since at least 2018, and amid another wave of criticism, the messenger developers planned implementation of additional protection of user information for users of Apple computers. The new feature should appear in the next beta version of the messenger.
