It's time once again for another exciting edition of Gone Phishin', which is a bi-weekly round-up of the biggest breaches, hacks, and cybersecurity SNAFUs of the last couple of weeks.
There's been some big news recently. It's not often that you get to type "the entire United States of America" as a potential hacking victim, nor is it very often that both Slack and Apple's App Store make headlines for cybersecurity reasons in the same couple of weeks. It shows that just about everyone can be affected by cybersecurity no matter how big or small your company (or country!) is.
Of course, since 95% of cybersecurity breaches are because of human error, one of the best things you can do is strengthen your human firewall, and one of the best ways to do that is by using cybersecurity training from us at Hoxhunt. Reach out to us today, we'd love to hear from you.
Apple App Store
If you’re one of the 1 billion people on the planet who use an iPhone, then this news pertains to you: there’s malware in the app store. Alex Kleber published a bombshell report on his Medium recently detailing that these 7 apps below contain malware. All of them are currently or have recently been in the App Store's 100 most downloaded apps (in the U.S. App Store), and PDF Reader for Adobe PDF Files was recently the number one app in the Education section.
— PDF Editor for Adobe Files (Polarnet Limited)
— Screen Recorder (Safeharbor Technology L Ltd.)
— Webcam Expert (Wildfire Technology Inc.)
— Streaming Browser Video Player (Boulevard Technology Ltd.)
— PDF Reader for Adobe PDF Files (Sunnet Technology Inc.)
— PDF Reader (Xu Lu, purported to be connected with Sunnet Technology Inc.)
— Word Writer Pro (Netozo Limited)
How did these apps get around the App Store’s stringent submission policies? They submitted so-called “benign” iterations of the app initially and then updated the apps to include the new code. Kleber details extensively how they did this, if you want to take a look at it.
Social networking hub (and arguably the largest ongoing performance-art piece in existence) Twitter had a mammoth breach that they just made public, even though the initial breach goes back to a code change all the way back in June of 2021. Twitter was made aware of the incident in January of this year by a bug hunter who was awarded $5,000 from Twitter for finding the bug. The breach allowed hackers to create a database that connected phone numbers and email addresses to usernames, effectively outing anyone who wanted to be private: CSHub's Olivia Powell writes that "The vulnerability meant that if a bad actor entered a phone number or email address and attempted to log in, they were able to learn if that information was associated with an existing account." The data affects 5.4 million accounts and includes political leaders, celebrities, and everyday folks like you and me.
Apparently, the person(s) behind this tried to sell the leaked database on Breach Forums for $30,000+ USD.
The United States (yep, the whole country)
OK. So, the headline is a bit misleading. It’s not the entire United States that’s been hacked, but it is the Emergency Alert System, which is designed so that everyone within the U.S. borders could receive an alert of some kind in case of an emergency. The EAS is designed to interrupt radio and both local and cable TV broadcasts, and recently has been implemented into smartphones; U.S. readers might well be aware of the BWAAAAAAAH sound during any amber alert or local emergency. CYBIR security researcher found a flaw in the system that would have allowed it to be hijacked. The results could have been catastrophic: a bad actor could have posed as the United States government, creating havoc on the streets.
The flaw in the service has been kept secret for reasons too obvious to type and has been fixed by the Federal Emergency Management Agency (FEMA), which plans to address the flaw in the “upcoming weeks,” thereby averting what could have been used to perform some Batman-villain level stuff on the entire population of America. CYBIR Security researcher Ken Pyle is the one who originally found the flaw and brought it to FEMA’s attention, so buy him a beer / kombucha / hot dog / vegan dog if you see him around. That man is a cybersecurity legend.
Twilio & Cloudflare
According to a recently published Twilio blog post, current and former employees of Twilio started getting text messages that asked for their log-in details that purported to be from the company’s IT department. Turns out: they weren’t, and it was part of a sophisticated data breach that is still in some ways ongoing, as Twilio claims not to know who is behind this attack. They also said that this data breach has resulted in some customer data being accessed.
Strangely enough, Cloudflare employees received an eerily similar attack at roughly the same time of the Twilio attack. Cloudflare is a 2000+ employee company that holds a lot of power over what can go on the public-facing web: their DNS-routing service is widely used (and, massively paraphrasing here, allows your browser to connect to domain names).
It may be that these two attacks are connected, and that some bad actors were trying to create some sort of 1-2 punch.
Britain’s National Health Service suffered a cyberattack, resulting in several non-emergency numbers being unusable for certain parts of the country for an extended period of time. Members of the NHS affected by the outage resorted to pen-and-paper notes for the extent of the outage, creating a (literal) paperwork backlog that is still being waded through. Several news sources point to this being the result of a ransomware attack on a managed service provider (MSP) named Advanced. Advanced hosts 36 different NHS applications, including those which connect the public to the NHS, those which house caring notes for elderly and incapacitated patients, and more.
If you’ve worked in an office at any point in the last decade, you’ve probably been made aware of the “POP-POP-POP” sound that is the Slack notification. Its ease of use is only surpassed by its ubiquity in modern office life. Well, good luck with that moving forward, as Slack was sending out user passwords within links for nearly five years and the company is having to backpedal hard in order to rectify this huge security hole. According to a company blog post, “(w)hen users created or revoked a shared invitation link for their workspace” the information packet supplied with that link also included the senders hashed (read: encrypted) password. Despite being encrypted, anyone with a working knowledge of encryption could have been / would have been able to reverse-engineer a user’s password based on this information. Thanks to Naked Security for the great explanation of “hashed and salted” passwords pertaining to this news item. “Hashed and salted” is coincidentally how I like my breakfast order at Waffle House.