AT&T Hackers Likely Stole FBI Agents' Call and Text Logs

Important publishing notice: Metacurity will not publish on January 20 in honor of the great civil rights leader Martin Luther King, Jr., whose achievements we celebrate on that day.

Please consider supporting Metacurity with an upgraded subscription so that you can continue receiving our daily missives, packed with the top infosec developments you should know.

If you can't commit to a subscription today, consider tipping or donating to help keep Metacurity going.

According to a document, FBI leaders have warned that they believe hackers who broke into AT&T Inc.’s system last year stole months of their agents’ call and text logs, setting off a race within the bureau to protect the identities of confidential informants.

According to the document and sources, FBI officials told agents nationwide that details about their use on the telecom carrier’s network were believed to be among the billions of records stolen.

The document shows that data from all FBI devices under the bureau’s AT&T service for public safety agencies were presumed taken.

The cache of hacked AT&T records didn’t reveal the substance of communications but, according to the document, could link investigators to their secret sources. The data was believed to include agents’ mobile phone numbers and the numbers with which they called and texted. Records for calls and texts that weren’t on the AT&T network, such as through encrypted messaging apps, weren’t part of the stolen data.

AT&T publicly disclosed the breach in July, saying it included six months' worth of mobile phone customer data from 2022. The hackers threatened to sell the data unless the telecommunications company paid an extortion fee.

A person with knowledge of the breach who reviewed a sample of the stolen information confirmed that it contained records of sensitive FBI communications, including the call logs of at least one agent.

AT&T spokesperson Alex Byers said, “After criminals stole customer data last year, we worked closely with law enforcement to mitigate impact to government operations.” He said the company appreciates law enforcement’s recent arrests for the breach and continues to “increase investments in security as well as monitor and remediate our networks.” (Jake Bleiberg and Margi Murphy / Bloomberg)

Related: Wired, Reuters, Seeking Alpha

Researchers at Microsoft report that Star Blizzard, a hacking group linked to Russia’s government, tried stealing WhatsApp data from employees at non-governmental organizations offering assistance to Ukraine.

They say attackers associated with Russia’s Federal Security Service, or FSB, sent emails to specific targets asking them to join WhatsApp groups. The phishing messages often appeared to be from a US government official and contained a QR code that purportedly would provide details about initiatives meant to support Ukraine in its ongoing war against Russia.

Microsoft said that, with its help, the US Justice Department has seized or taken down 180 websites associated with the group since October.

A WhatsApp spokesperson said that the company protects personal conversations with end-to-end encryption and encourages users only to click on links from people they know and trust. (Margi Murphy / Bloomberg)

Related: Microsoft, Odessa Journal, Kyiv Independent, Cyber Daily, Neowin, Infosecurity Magazine, The Register, Cyberscoop, The Cyber Express, Security Week

According to sources, US Treasury Secretary Janet Yellen’s computer was infiltrated, and unclassified files were accessed as part of a broader breach of the agency by the Chinese state-sponsored hacking group Silk Typhoon.

The sources say the attackers also hacked the computers of two of Yellen’s lieutenants, Deputy Secretary Wally Adeyemo and Acting Under Secretary Brad Smith.

One source said fewer than 50 files on Yellen’s machine were accessed.

The Chinese operatives breached the computers of the top Treasury officials and more than 400 laptop and desktop machines, accessing employee usernames and passwords and more than 3,000 files on unclassified personal devices. (Jake Bleiberg and Jamie Tarabay / Bloomberg)

Related: Reuters, Arutz Sheva, Daily Mail, The Jerusalem Post

The Federal Trade Commission said it had reached a settlement with General Motors that would ban the automaker from providing drivers’ behavior and geolocation data to consumer reporting agencies for five years.

Last year, the New York Times reported that GM was collecting data about people’s driving behavior, including how often they sped or drove at night, and selling it to data brokers that generated risk profiles for insurance companies. Some drivers reported that their auto insurance rates increased as a result.

“G.M. monitored and sold people’s precise geolocation data and driver behavior information, sometimes as often as every three seconds,” said Lina M. Khan, the chair of the FTC. “With this action, the F.T.C. is safeguarding Americans’ privacy and protecting people from unchecked surveillance.”

The FTC opened an investigation and determined that GM had collected and sold data from millions of vehicles “without adequately notifying consumers and obtaining their affirmative consent.”

Drivers who signed up for OnStar Connected Services and activated a feature called Smart Driver were subject to the data collection. However, federal regulators said the enrollment process was so confusing that many consumers did not realize they had signed up for it.

In a statement, GM said it had already ended the data collection program “due to customer feedback.” The company said customers could see and delete their personal information through a form on its website. (Kashmir Hill / New York Times)

Related: FTC, FTC, The Record, Reuters, Engadget, Detroit Free Press, Benzinga, Senator Ron Wyden, Bloomberg, Silicon Republic, The Register, The Verge, TechSpot, GM Authority, GM News, Wall Street Journal, Automotive News, Crain's Detroit Business, Mercury News, Associated Press

The US Treasury Department sanctioned a network of individuals and front companies linked to North Korea's Ministry of National Defense that generated revenue through illegal remote IT work schemes.

The Treasury's Office of Foreign Assets Control (OFAC) sanctioned North Korean front companies Korea Osong Shipping Co (Osong) and Chonsurim Trading Corporation (Chonsurim), as well as their presidents Jong In Chol and Son Kyong Sik.

OFAC also sanctioned Liaoning China Trade, a Chinese company that has supplied Department 53 of the Ministry of National Defense. This weapons-trading entity also generates revenue using IT and software development front companies, with electronics equipment, including notebook and desktop computers. (Sergiu Gatlan / Bleeping Computer)

Related: Treasury Department, Cyberscoop, Security Week, BankInfoSecurity

The US Federal Trade Commission (FTC) will require web hosting giant GoDaddy to implement basic security protections, including HTTPS APIs and mandatory multi-factor authentication, to settle charges that it failed to secure its hosting services against attacks since 2018.

The FTC says GoDaddy's claims of reasonable security practices also misled millions of web hosting customers. Because it failed to implement standard security tools and practices, GoDaddy was "blind to vulnerabilities and threats in its hosting environment."

According to the FTC's complaint, GoDaddy's unreasonable security practices included failing to use multi-factor authentication (MFA), manage software updates, log security-related events, segment its network, monitor for security threats (including by failing to use software that could actively detect threats from its many logs), and use file integrity monitoring.

The company also failed to inventory and manage assets, assess risks to its website hosting services, and secure connections to services that provide access to consumer data.

The FTC says that, between 2019 and 2022, these data security failures led to several major security breaches, resulting in threat actors gaining access to customers' websites and data.

Under the settlement order, the FTC will require GoDaddy to establish a robust information security program and prohibit the company from misleading customers about its security protections. The order also mandates that GoDaddy hire an independent third-party assessor to conduct biennial reviews of its information security program.

The company is also required to add mandatory MFA for all customers, employees, and contractors' staff "to any Hosting Service supporting tool or asset, including connecting to any database" and "at least one method that does not require the customer to provide a telephone number, such as by integrating authentication applications or allowing the use of security key." (Sergiu Gatlan / Bleeping Computer)

Related: FTC, The Record, Silicon Angle, Newsweek, Dark Reading, Wall Street Journal, TechRadar, Cybernews

Residents across the United States are being inundated with spam text messages purporting to come from toll road operators like E-ZPass, warning that recipients face fines if a delinquent toll fee remains unpaid.

Researchers say the surge in SMS spam coincides with new features added to a popular commercial phishing kit sold in China. The kit makes it simple to set up convincing lures spoofing toll road operators in multiple US states.

Last week, the Massachusetts Department of Transportation (MassDOT) warned residents to be on the lookout for a new SMS phishing or “smishing” scam targeting users of EZDriveMA, MassDOT’s all-electronic tolling program. Those who fall for the scam are asked to provide payment card data and eventually will be asked to supply a one-time password sent via SMS or a mobile authentication app.

Similar SMS phishing attacks against customers of other US state-run toll facilities surfaced around the same time as the MassDOT alert. People in Florida reported receiving SMS phishing that spoofed Sunpass, Florida’s prepaid toll program.

Ford Merrill of SecAlliancesaid the volume of SMS phishing attacks spoofing toll road operators skyrocketed after the New Year when at least one Chinese cybercriminal group known for selling sophisticated SMS phishing kits began offering new phishing pages designed to spoof toll operators in various US states.

Merrill said multiple China-based cybercriminals are selling distinct SMS-based phishing kits, each with hundreds or thousands of customers. The ultimate goal of these kits, he said, is to phish enough information from victims so that their payment cards can be added to mobile wallets and used to buy goods at physical stores or online or to launder money through shell companies. (Brian Krebs / Krebs on Security)

Related: MassPIRG, CBS News, Asbury Park Press, NBC Boston, WFSB, Delaware News Journal, USA Today

The US Federal Trade Commission announced updated online privacy protections for children that require opt-in consent from parents, who will have to explicitly authorize targeted advertising to their children. 

The new rule, which will take effect 60 days after it is posted in the Federal Register, also sets strict parameters minimizing how long companies can hold on to children's data.

The FTC’s move is intended to block businesses from monetizing children’s data and update regulations under the Children’s Online Privacy Protection rule (COPPA rule) that went into effect in 2000. Privacy and children’s rights advocates have hotly anticipated the newly amended rule since the agency proposed it in December 2023.

Incoming FTC Chair Andrew Ferguson voted in favor of the new stricter COPPA rule, a development privacy advocates have closely watched as they seek to understand how he will prioritize data privacy during his tenure.

The five-member commission will flip to a Republican majority after the Senate confirms President-elect Donald Trump’s choice to fill a third seat. Congressional aide Olivia Trusty is expected to be his nominee. (Suzanne Smalley / The Record)

Related: FTC, Senator Ed Markey, Hunton Andrews Kurth, Bloomberg Law, Consumer Affairs

An official said the Biden administration doesn't plan to take action that forces TikTok to immediately go dark for US users on Sunday.

TikTok could still proactively choose to shut down that day, a move intended to clearly communicate to the 170 million people it says use the app each month the wide-ranging impact of the ban.

The law does not require TikTok to go dark on Jan. 19. However, app stores and internet hosting services could be held liable if they continue to provide their services to TikTok. The law allows the Justice Department to pursue fines of up to $5,000 per user, an enormous potential liability given the app's popularity.

So even if President Joe Biden or Donald Trump say they won't enforce the ban, tech companies will still be liable as long as ByteDance owns TikTok. Apple, Google, and Oracle have not responded to or declined to comment on ABC News about what they will do on Sunday.

And the reality is that both presidents have limited options to put the ban on hold.

The law states the president can grant a one-time extension delaying the ban for up to 90 days under three very specific conditions: TikTok must show it's on a "path to executing" a divesture from its Chinese owner; there must be "evidence of significant progress" toward a sale; and that progress must be sealed with "relevant binding legal agreements." (Elizabeth Schulze, Devin Dwyer, and Steven Portnoy / ABC News)

Related: TechCrunch, Forbes, Daily Herald, The Verge, Reuters, Techdirt, Punchbowl News, NBC News, Asia Financial, Adweek, Associated Press, KQED, ZDNET, BBC, New York Times, The Information, Benzinga, Politico, Hypebeast, AzerNews, Reason, PhoneArena, Modern Retail, Mashable, thealpenanews.com, Washington Examiner, Tyla, TimesLIVE, Times of India, UNILAD, The Hill, KTVU-TV, Sky News, DNyuz, Reuters, BERNAMA, Just The News, New York Post, Voice of America, Flipboard, Breitbart, Pixel Envy, The Desk, The Daily Upside, KEYE, MyNorthwest.com, Bloomberg, B&T, Engadget, The Independent, Bloomberg, Slate, Variety, Forbes, PolitiFact, Lifehacker, Digital Trends, Android Police, RealClearPolicy, South China Morning Post, SheKnows, The Post Millennial, Associated Press, Fox Business, Daily Mail, The Wrap, AfroTech, New York Daily News, Dallas Express, Digital Music News, Business Insider, OMG.BLOG, The Torment Nexus, Al Jazeera, Gamereactor UK, Social Media Today, Iowa Capital Dispatch, HuffPost, Pocket-lint, New Republic, UNILAD, The Independent, The Boston Globe, Adweek, KTVU-TV, Barron's Online, Investor's Business Daily, NTD, NBC News, Washington Post

Roseltorg, Russia’s main electronic trading platform for government and corporate procurement, confirmed that a cyberattack had targeted it after initially claiming that outages were caused by “maintenance work.”

The company initially said its services had been temporarily suspended without further details. In a recent Telegram statement, Roseltorg disclosed that it had been targeted by "an external attempt to destroy data and the entire infrastructure of electronic trading."

Roseltorg stated that all data and infrastructure affected by the recent attack had been fully restored, and trading systems are expected to resume operations shortly. However, as of the time of writing, the company's website remains offline.

Last week, the previously unknown pro-Ukraine hacker group Yellow Drift claimed responsibility for the attack on Roseltorg, stating they had deleted 550 terabytes of data, including emails and backups. As proof, the hackers published screenshots from the platform’s allegedly compromised infrastructure on their Telegram channel. (Daryna Antoniuk / The Record)

Related: Fudzilla, Cnews

Best Thing of the Day: No Defense Ministry Should Be on X

The German Ministry of Defense announced that it has left the X platform and will no longer be posting there.

Worst Thing of the Day: Ransomware Not on the Downswing

GuidePoint Research and Intelligence Team (GRIT) reports that the number of ransomware victims reached an all-time high, with more than 1,600 in Q4 2024.

Closing Thought