CYBERSECURITY NEWS V. August – T-Mobile hack, Largest DDoS attack, ProxyShell vulnerabilities


hexway cybersecurity blog brings you the latest news about attacks and data breaches, emerging malware, and vendor security updates

News FYI

T-Mobile hack

In mid-August, an announcement about the sale of personal data of about 100 million T-Mobile customers appeared on a hacker forum. The seller claimed to have hacked into the company's servers, gained access to an unsecured T-Mobile GPRS gateway, and stolen the data.

The hacker estimated the entire dump at six bitcoins. In total, the database contains information of 100 million people, including IMSI, IMEI, phone numbers, names, and security PINs. Also, the data of 30 million people include birth dates, driver’s license numbers, and social security numbers.

The company confirmed the incident, stating that the records of 50 million people were stolen, including current, former, or potential T-Mobile customers. The head of the company, Mike Sievert, said that he could not share in-depth technical details of the incident due to the criminal investigation, which is currently carried out by law enforcement agencies.

A 21-year-old John Binns claimed the attack, a US citizen now residing in Turkey. Binns said that he managed to hack T-Mobile through a misconfigured router, which he discovered back in July. He found the router using a simple open-source tool, and some are suggesting that it is Shodan, Nmap, or Masscan. The router provided Binns with an entry point to T-Mobile's servers located in a data center in Washington state. He was able to develop the attack further, gaining credentials that gave him access to more than 100 servers. Binns said it took him about a week to get to the servers that hold customer data and hack them.

According to media reports, Binns is not the only one trying to sell T-Mobile customer information. At the same time, Binns stated that he has several potential buyers.

Cloudflare Prevents Largest Recorded DDoS Attack

Cloudflare announced the prevention of the largest DDoS attack to date, reaching 17.2 million HTTP requests per second, three times the power of other known attacks. An unknown attacker used a botnet of 28,000 infected devices to send HTTP requests to the client's network. Based on the IP addresses of the infected devices, Cloudflare experts estimate that 15% of the traffic came from Indonesia, with another 17% from India and Brazil. The target of the attack was one of Cloudflare's financial clients.

Although the attack peaked at 17.2 million requests for only a few seconds, the attacker spent hours forcing the botnet to attack the victim. As a result, Cloudflare had to process over 330 million unwanted HTTP requests. Thus, this attack equaled 68% of the legitimate HTTP traffic processed by the company on average in Q2 2021 (about 25 million requests per second).

The same botnet carried out two other large-scale attacks, including one that peaked at 8 million requests per second, targeting an unnamed host. Cloudflare is currently tracking the evolution of this botnet, which appears to be based on a modified version of the well-known IoT malware Mirai.

Hackers stole $600 million in major cryptocurrency heist

On August 10, the Poly Network platform, which enables the exchange of tokens between different blockchains, announced that it had been attacked. As a result, more than $600 million in cryptocurrency were stolen.

Due to the vulnerability in the Poly Network, hackers stole $267 million in Ethereum, $252 million in Bitcoin, and $85 million in USDC tokens, writes BBC News. Also, they  stole other tokens like WBTC, WETH, SHIB, DAI, etc. Some of the stolen money – $ million in Stablecoin Tether – was blocked by the issuer of Tether, making it inaccessible to the hackers.

Poly Network revealed the addresses of the hackers, urging them to block transfers from their senders. The investigation involves specialists from the world's largest crypto exchange, Binance.

Poly Network tweeted an appeal to hackers to recover the stolen assets.

Less than a day after the theft, the hackers responded by attaching a small message to a transfer to the wallet they used (Poly Network previously disclosed the wallet numbers). The hackers wrote in capital letters that they were "ready to return the funds."

According to the latest Poly Network data, assets worth $260 million have already been returned.

New NSO Group Related Zero-Click Exploit Discovered

The Citizen Lab of the University of Toronto discovered a vulnerability in iOS, which can be exploited in just one click. It has been leveraged in attacks against several activists and dissidents in Bahrain since February 2021.

The new exploit was linked to the Israeli commercial spyware maker NSO Group, which has recently been mentioned in the media in connection with the surveillance of activists and journalists.

FORCEDENTRY is one of several vulnerabilities exploited to infect devices with NSO Group's Pegasus tracking tool. The details of the iMessage vulnerability are currently not disclosed because it is not fixed, but we know the following:

FORCEDENTRY is a zero-click exploit. After receiving a malicious message in iMessage from an attacker, the victim can infect their iPhone with malware. You do not need to click on the link in the message or even read it;

FORCEDENTRY could bypass BlastDoor, a new security feature that Apple secretly added in iOS 14 last year.

FORCEDENTRY has also been used in attacks against users in France and India.

FlyTrap malware hijacks thousands of Facebook accounts

FlyTrap Android malware hijacks Facebook accounts in 144 countries by stealing session cookies. The stolen information was available to anyone who found the FlyTrap C&C server.

FlyTrap has been active since at least March 2021. Attackers use decoys distributed through Google Play and third-party Android app stores. As a rule, such a decoy offers the user free coupons (for Netflix, Google AdWords, and so on) or allows them to vote for their favorite football team and Euro 2020 player.

To do this, the victim allegedly needs to log into the application using Facebook credentials, and authentication occurs through Facebook’s legitimate domain. Since the malicious apps use genuine Facebook SSO, they cannot directly collect user credentials. Instead, FlyTrap uses JavaScript injection to collect other sensitive data.

The information collected in this way is transmitted to the attackers' command and control server. To date, more than 10,000 Android users have fallen victim to this malicious campaign.

Hackers actively scan Microsoft Exchange servers looking for unpatched ProxyShell vulnerabilities

Hackers are actively scanning the Internet for available installations of Microsoft Exchange with unpatched ProxyShell vulnerabilities. The scans began after new details about the vulnerabilities were presented at the Black Hat conference in Las Vegas.

ProxyShell is the common name for three vulnerabilities in Microsoft Exchange that, when combined, allow an unauthorized remote attacker to execute arbitrary code on a vulnerable server. Attackers try to remotely exploit ProxyShell via Client Access Service (CAS) running on port 443 in Internet Information Services (IIS).

CVE-2021-34473 - Access Control List (ACL Bypass). Fixed in April 2021 in update KB5001779;

CVE-2021-34523 - Privilege Escalation in Exchange PowerShell Backend. Fixed in April 2021 in update KB5001779;

CVE-2021-31207 - Remote Code Execution. Fixed in May 2021 in KB5003435 update.

For August 8 (two days after the PoC was published), more than 30,400 Exchange servers out of 100,000 were still unpatched and vulnerable to attacks.

The problem is aggravated by the publication on one of the Russian-language hacker forums of a list of more than 100,000 Internet-connected Exchange servers. Attackers just need to arm themselves with an available exploit and start attacking servers on the list.

Ragnarok ransomware authors release decryptor

Without any announcement or explanation, the Ragnarok group released a decryption key, which unlocks the files previously encrypted by the program. However, the group may still show themselves in new attacks.

The disappearance of the group is associated with the loss of its website. From July to mid-August, the site listed a dozen victims. Now there is only a link to the file with the master decryption key.

Ragnarok was first spotted in January 2020 after attacks on Citrix ADC servers and an attempt to disable Windows Defender. Earlier this year, the Darkside group responsible for the attack on the American company Colonial Pipeline was allegedly disbanded.

red team

Try Hive now

online demo
red team