Optus Data Breach
Optus has suffered a historic breach for Australian consumers this month with a total affected 11.3m user records claimed to be stolen by the Threat Actor (TA). This breach is extremely concerning due to the large amount of confidential data that has been reported stolen apart of it that can potentially be used for fraud, identify theft, destroying credit scores, sim swapping and further malicious practices. Fortunately, no passwords or financial information was compromised. CTRL Group has been following this breach closely and have gathered information regarding the purported breached data which includes:
- Full Names
- Dates of Birth
- Phone Numbers
- Email Addresses
- Home Addresses
- Driver’s Licence and Passport Numbers
- About 37,000 Medicare numbers with 22,000 of them being expired
With access to this amount of identifying data, 100 points of identification can be amounted too which is the basis to opening bank accounts, financial accounts and prove ownership to said accounts.
The TA claims that they found an unprotected Application Programming Interface (API) service that was publicly accessible that did not require any authorisation, or authentication to access Optus’ customer data. This makes the hack even more concerning as there is no indication how long this API service was publicly accessible for other TA’s to access and exfiltrate confidential data. However, Optus has not confirmed that this was the method of breach at this time.
While the TA was asking for a $1.53m AUD ransom from Optus for the data and released approximately 10,200 user records as proof of compromise, they have now taken down the advertisement issuing an apology and have claimed to delete the entire data set that was stolen. The reason as to why the TA backed down is claimed to be due to increased scrutiny on the data breach which comes with an increased federal presence. Please be aware that some leaked users out of the 10,200 released records have been receiving scam texts asking for payments.
The following mitigation actions are recommended:
- Set a Password with any Optus account that will be required if someone attempts to access / change details with the compromised data. This will add extra security to access their account for sim swapping. This can be done by ringing up Optus and setting it up over the Phone.
- All social media accounts, email accounts or further work accounts that may be associated to an Optus phone number and can be used to recover the account, should remove the number from the account to prevent recovery / OTP misuse.
- Ensure employees do not panic if they receive an alarming / needs urgent action email or text message and, to report it instead of acting based off the communication. Times like these will cause panic and lead to a user acting based on urgency / fear rather than logical thinking which can lead to compromise.
- Recommendations would be to issue a warning to the Optus users to be vigilant of any potential scams / phishing attempts that will cause a sense of urgency for the user and to report them immediately to IT.
- Optus is currently in the process of contacting all users that have had their Passport or Driver licence compromised through email regarding the breach. Unfortunately, the best method to ensure that no compromised Personal Data is abused, is to order new Passport’s / Driver’s Licences so that these Identification ID’s that have been compromised cannot be used for the 100 points of Identification. Currently, the government is pushing for Optus to pay for these documents which should be kept in mind for anybody affected by this breach.
- Microsoft Authenticator allows a user to back up their authenticator to iCloud if it is setup correctly. Please get the user to check their settings with Microsoft Authenticator to ensure it is not being backed up as although it is harder to recover work Authenticator backups, it is still possible.
The ACCC has released further recommendations for post Optus Data breach actions listed below if you would like to recommend further steps to affected employees:
- Secure your devices and monitor for unusual activity
- Change your online account passwords and enable multi factor authentication for banking
- Check your accounts for unusual activity such as items you haven’t purchased
- Place limits on your accounts or ask you bank how you can secure your money
- If you suspect fraud you can request a ban on your credit report.
Uber Suffers security breach via stolen credentials and MFA fatigue
On September 16th Uber suffered a cyber breach which gave an attacker access to sensitive security systems.
Inside Uber’s network, the attacker allegedly connected to the company VPN, performed a network scan and was able to discover a network share with several PowerShell scripts. One script contained admin credentials for a privileged access management service, which they used to access several critical security services.
Screenshots of the attacker’s access was uploaded to twitter, showing indications they had access to Uber’s HackerOne, AWS instance, and Slack messaging platform. On HackerOne, the attacker commented on every vulnerability report, and Uber expresses concern that they were also able to obtain reports for undisclosed and unpatched vulnerabilities.
The malicious actor had somehow obtained an external contractor’s credentials. Uber has speculated that the user’s credentials may have been purchased on the dark web, after the contractor’s personal device had been infected by malware or phishing.
The attacker was able to login to the contractor’s account despite the presence of multifactor authentication. The attacker repeatedly made login attempts, which spammed push-alerts to the user’s authenticator app. The malicious actor was able to find the contractor on WhatsApp and contacted them as a disguised Uber IT employee. From there, they were able to manipulate the user into approving the authentication attempt.
The following actions are recommended by CTRL Group, and are also crucial to building positive password hygiene from within the organisation.
- Passwords are to be regularly changed every three months.
- Conditional access for Microsoft sign-ins can be configured with conditional access, which prevent authentication from proceeding if the device, location or risk levels are unacceptable.
- Use MFA number-matching where possible and avoid using push-alert authentication.
Two Remote Code Execution Vulnerabilities Patched in WhatsApp
WhatsApp has recently patched two serious vulnerabilities that could be exploited for remote code execution. One of the flaws, tracked as CVE-2022-36934 and rated “critical,” is an integer overflow issue that affects WhatsApp for Android prior to 18.104.22.168, Business for Android prior to 22.214.171.124, iOS prior to 126.96.36.199, and Business for iOS prior to 188.8.131.52. WhatsApp noted that an attacker can exploit the vulnerability for remote code execution during a video call.
The second issue, a high-severity flaw tracked as CVE-2022-27492, is an integer underflow that can be exploited for remote code execution by sending a specially crafted video file to the targeted user. It has been patched in WhatsApp for Android and iOS with the release of versions 184.108.40.206 and 220.127.116.11, respectively.
According to security researchers at Malwarebytes, CVE-2022-36934 impacts the Video Call Handler component, while CVE-2022-27492 affects the Video File Handler component. The vulnerabilities appear to have been discovered internally, and there is no indication that they have been exploited in the wild.
These versions of WhatsApp are affected by at least one of the vulnerabilities:
- WhatsApp for Android prior to v18.104.22.168
- WhatsApp Business for Android prior to v22.214.171.124
- WhatsApp for iOS prior to v126.96.36.199
- WhatsApp Business for iOS prior to v188.8.131.52
- WhatsApp for Android prior to v184.108.40.206 and WhatsApp for iOS v220.127.116.11 are affected by both
CTRL Group recommends checking your WhatsApp version for Android and iOS to determine if it has been patched to either the latest version, or a non-vulnerable version.