FCC Fines T-Mobile $31.5 Million Over a String of Data Breaches

Don't miss my latest CSO piece that focuses on how CISOs will now have to wade through a thicket of AI regulations after Governor Newsom vetoed the state's nation-leading AI law.

The Federal Communications Commission (FCC) announced a $31.5 million settlement with T-Mobile over multiple data breaches that compromised the personal information of millions of U.S. consumers.

This agreement resolves the FCC Enforcement Bureau investigations into several cybersecurity incidents and resulting data breaches that impacted T-Mobile's customers in 2021, 2022, and 2023 (an API incident and a sales application breach).

As part of the settlement, the telecom carrier must invest $15.75 million in cybersecurity enhancements and pay the U.S. Treasury an additional $15.75 million civil penalty.

The company has also committed to implementing more robust security measures, including adopting modern cybersecurity frameworks like zero-trust architecture and multi-factor authentication that resists phishing attacks.

As part of the agreement, T-Mobile has committed to enhance privacy, data security, and cybersecurity practices by addressing foundational security flaws, improving cyber hygiene, and adopting robust modern architectures by, among other things, providing regular cybersecurity updates through the company's Chief Information Security Officer to the board of directors to ensure greater oversight and governance, adopting data minimization, data inventory, and data disposal processes to limit the collection and retention of customer information and detecting and tracking critical network assets to prevent misuse or compromise. (Sergiu Gatlan / Bleeping Computer)

Related: Federal Communications Commission, The Register, CyberScoop, The Verge, GeekWire, CRN, PhoneArena, Telecompetitor, Light Reading, PCMag, Nextgov/FCW, DataBreaches.Net, The Record, Reuters, Radio and Television Business Report

Researchers at Microsoft warn that ransomware threat actor Storm-0501 has recently switched tactics and now targets hybrid cloud environments, expanding its strategy to compromise all victim assets.

The threat actor emerged in 2021 as a ransomware affiliate for the Sabbath ransomware operation. Later, they started to deploy file-encrypting malware from Hive, BlackCat, LockBit, and Hunters International gangs. Recently, they have been observed to deploy the Embargo ransomware.

Storm-0501's recent attacks targeted hospitals, government, manufacturing and transportation organizations, and law enforcement agencies in the United States.

The attacker gains access to cloud environments by exploiting weak credentials and taking advantage of privileged accounts. The goal is to steal data and execute a ransomware payload. Storm-0501 obtains initial access to the network with stolen or purchased credentials or by exploiting known vulnerabilities.

Some of the flaws used in recent attacks are CVE-2022-47966 (Zoho ManageEngine), CVE-2023-4966 (Citrix NetScaler), and possibly CVE-2023-29300 or CVE-2023-38203 (ColdFusion 2016).

After getting access to the cloud infrastructure, the threat actor plants a persistent backdoor by creating a new federated domain within the Microsoft Entra tenant. This allows them to authenticate as any user for whom they know or set the "Immutableid" property.

In the final step, the attackers will either deploy Embargo ransomware on the victim's on-premise and cloud environments or maintain backdoor access for later.

Microsoft said, "Once the threat actor achieved sufficient control over the network, successfully extracted sensitive files, and managed to move laterally to the cloud environment, the threat actor then deployed the Embargo ransomware across the organization.https://petri.com/ransomware-microsoft-entra-id-credentials/" (Bill Toulas / Bleeping Computer)

Related: Microsoft, MSSP Alert, The Register, Dark Reading, TechRadar, Help Net Security, Petri

In a cybercrime crackdown called Operation Chakra-III, India's Central Bureau of Investigation (CBI) dismantled a crime syndicate targeting victims worldwide, arresting 25 key operatives at 32 locations spanning Pune, Hyderabad, Ahmedabad, and Vishakhapatnam and intercepting 170 individuals engaged in online criminal activities across four illicit call centers.

The accused masqueraded as tech support services, hoodwinking victims, particularly in the US, into believing their systems had been compromised.

The cybercriminals falsely asserted that funds were stolen, coercing victims to transfer funds to new accounts and demanding payments via international gift cards or cryptocurrency.

The CBI recovered 951 items, encompassing electronic devices, mobile phones, laptops, and financial information. They also seized cash, locker keys, and three luxury vehicles. (Raj Shekhar / The Times of India)

Related: The 420, CIO News, The Cyber Express, Deccan Chronicle, News 18, The Statesman, Business Standard

Software developer turned security researcher Jason Parker has found and reported dozens of critical vulnerabilities in nineteen commercial platforms used by hundreds of courts, government agencies, and police departments nationwide.

One flaw he uncovered in the voter registration cancellation portal for the state of Georgia, for instance, allowed anyone visiting it to cancel the registration of any voter in that state when the visitor knew the voter's name, birthdate, and county of residence.

In another case, document management systems used in local courthouses across the country contained multiple flaws that allowed unauthorized people to access sensitive filings, such as psychiatric evaluations that were under seal.

In one case, unauthorized people could assign themselves privileges that are supposed to be available only to court clerks and, from there, create, delete, or modify filings.

“These platforms are supposed to ensure transparency and fairness, but are failing at the most fundamental level of cybersecurity,” Parker wrote in a post. “If a voter’s registration can be canceled with little effort and confidential legal filings can be accessed by unauthorized users, what does it mean for the integrity of these systems?” (Dan Goodin / Ars Technica)

Related: Northantara

Cloud computing giant Rackspace has told customers intruders exploited a zero-day bug in a third-party application it was using and abused that vulnerability to break into its internal performance monitoring environment.

That intrusion forced the cloud-hosting outfit to take its monitoring dashboard offline for customers temporarily.

It appears Rackspace was hosting a ScienceLogic-powered monitoring dashboard for its customers on its own internal web servers. Those servers included a program bundled with ScienceLogic's software, which miscreants exploited using a zero-day vulnerability to gain access to those web servers. From there, the intruders were able to get hold of some monitoring-related customer information before being caught.

"On September 24, 2024, Rackspace discovered a zero-day remote code execution vulnerability in a non-Rackspace utility that is packaged and delivered alongside the third-party ScienceLogic application," a spokesperson for Rackspace said.

Rackspace uses a ScienceLogic stack internally for system monitoring and providing users with a dashboard. ScienceLogic, which supplies IT infrastructure observation software, did not immediately respond to a request for more information about the exploitation.

Abusing this zero-day vulnerability gave the criminals access to three of Rackspace's internal monitoring web servers "and some limited monitoring information," a Rackspace spokesperson said. (Jessica Lyons / The Register)

Related: Tech Monitor

And now, a word from our sponsor, Anchore

Learn the building blocks for adopting a secure software factory model in this webinar. The Department of Defense (DoD) software factory model has emerged as a cornerstone of innovation and security for national defense and cybersecurity. Software factories represent an integration of principles and practices found within the DevSecOps movement, with technical guidelines to support continuous cyber-readiness with real-time visibility.

The University Medical Center Health System in Lubbock, one of the largest hospitals in West Texas, has been forced to divert ambulances after a ransomware attack shut down many of its systems last Thursday.

The hospital system said it is “temporarily diverting incoming emergency and non-emergency patients via ambulance to nearby health facilities until access to our systems is restored.”

“Third parties that have helped other hospitals address similar issues have been engaged to assist in our response and investigation,” the hospital said.

The team responsible for the recovery effort could not provide a timeline for when services would be restored.

Experts were alarmed by the announcement, noting that UMC is the only level 1 trauma center within 400 miles.

Many of the hospital’s clinics are open but operate on downtime procedures. Patients will have to deal with delays, and hospital staff may not have access to portals with patient information. Patients are urged to bring in physical copies of their prescriptions and other information because doctors cannot access many patient records.

According to the hospital’s statement and a FAQ page, radiology systems are also down across several clinics, and phone service is intermittent.

The hospital is also calling patients scheduled for appointments with instructions on what will happen next. (Jonathan Greig / The Record)

Related: The Register, Lubbock Avalanche-Journal, Everything Lubbock, The HIPAA Journal

WhatsApp and Cloudflare are collaborating to strengthen the security of end-to-end encrypted messages by implementing a robust auditing process for Key Transparency that introduces Plexi, an auditing tool that monitors and verifies the integrity of public keys, ensuring that user communication is secure.

The new Key Transparency framework is designed to ensure the integrity of public keys used in end-to-end encryption.

It also allows for the verification of the public keys used in end-to-end encryption, ensuring that user keys have not been altered or compromised. (WABetaInfo)

Related: Cloudflare, Scotsman, Financial Times

The UK Financial Conduct Authority announced that Olumide Osunkoya pleaded guilty to illegally operating a crypto ATM network, marking the first UK conviction for such an operation.

Osunkoya pleaded guilty to five offenses at a hearing held on Monday at Westminster Magistrates’ Court.

Earlier this month, the FCA charged him with running crypto ATMs that processed British pounds 2.6 million ($3.4 million) in crypto transactions across various locations without the required registration.

Sentencing for the offenses will take place at Southwark Crown Court at a date that will be confirmed. (Camomile Shumba / CoinDesk)

Related: Financial Conduct Authority, Cryptonews, UKTN, changelly.com, CoinGape, crypto.news, City A.M. - Technology, Finance Magnates, The Block, UKTN (UK Tech News), CryptoSlate, CoinGape, CryptoMode, Coinpedia Fintech News, Protos, BeInCrypto,

US authorities allege that a California man, Adam Iza, accused of failing to pay taxes on tens of millions of dollars allegedly earned from cybercrime, also paid local police officers hundreds of thousands of dollars to help him extort, intimidate, and silence rivals and former business partners.

Many of the man’s alleged targets were members of UGNazi, a hacker group that was behind multiple high-profile breaches and cyberattacks in 2012.

A federal complaint (PDF) filed last week said the Federal Bureau of Investigation (FBI) has been investigating the Los Angeles resident. Also known as “Assad Faiq” and “The Godfather,” Iza founded a cryptocurrency investment platform called Zort that advertised the ability to make smart trades based on artificial intelligence technology.

But the feds say investors in Zort soon lost their shorts, after Iza and his girlfriend began spending those investments on Lamborghinis, expensive jewelry, vacations, a $28 million home in Bel Air, even cosmetic surgery to extend his legs.

The complaint states that the FBI started investigating Iza after receiving multiple reports that he had several active deputies with the Los Angeles Sheriff’s Department (LASD) on his payroll. Iza’s attorney did not immediately respond to requests for comment.

The complaint cites a letter from an attorney for a victim referenced only as “E.Z.,” who was seeking help related to an extortion and robbery allegedly committed by Iza. The government says that in March 2022, three men showed up at E.Z.’s home, and tried to steal his laptop to access his cryptocurrency holdings online. A police report referenced in the complaint says three intruders were scared off when E.Z. fired several handgun rounds in the direction of his assailants.

E.Z. appears to be short for Enzo Zelocchi, a self-described “actor” who was featured in an ABC News story about a home invasion in Los Angeles around the same time as the March 2022 home invasion, in which Zelocchi is quoted as saying at least two men tried to rob him at gunpoint.

In many ways, the crimes described in the complaint and the various related civil lawsuits would prefigure a disturbing new trend within English-speaking cybercrime communities that has bubbled up in the past few years: The emergence of “violence-as-as-service” offerings that allow cybercriminals to extort and intimidate their rivals anonymously. (Brian Krebs / Krebs on Security)

Related: Courtlistener

California Senate Bill 1394, which requires connected car manufacturers to allow drivers to cut off remote access to their vehicles so abusers cannot track them, was signed into law by California Gov. Gavin Newsom.

The measure, which received strong support in the California legislature, was passed as part of a package of eight bills designed to help domestic violence survivors.

The legislation reflects the increasing sophistication of internet-connected vehicles’ capabilities, including the ability to track a user’s whereabouts from afar.

Because manufacturers typically produce car models that can be sold in various markets, the California bill could lead to a nationwide change.

Under the new California law, automakers must change how the connected cars they sell work by allowing drivers who establish that they legally possess a given vehicle to request that specific people can no longer remotely access their car.

The law also bans automakers from charging a fee to drivers seeking to cut off remote access and requires manufacturers to create an easy-to-use process for submitting requests. It also requires that automakers provide in-vehicle alerts to drivers if “remote vehicle technology” is being used. (Suzanne Smalley / The Record)

Related: Gov.ca.gov, Reuters

Please consider supporting Metacurity. If you enjoy Metacurity, please support our continued operation with an upgraded subscription. Thank you!

As part of its Secure Future Initiative, Microsoft has introduced an updated version of the "Publish API for Edge extension developers" that increases the security of developer accounts and browser extension updates.

The company is increasing security across all its product groups, including the browser extension publishing process, to prevent extensions from being hijacked with malicious code.

With the new Publish API, secrets are now dynamically generated API keys for each developer, reducing the risk of static credentials being exposed in code or other breaches.

These API keys will now be stored in Microsoft's databases as hashes rather than the keys themselves, further preventing possible leaking of the API keys.

To further increase security, access token URLs are generated internally and do not need to be sent by the dev when updating their extensions. This further improves security by limiting additional risks of exposing URLs that could be used to push malicious extension updates. (Mayank Parmar / Bleeping Computer)

Related: Windows Blog, Techzine

The National Security Agency and the Cybersecurity and Infrastructure Security Agency have collaborated with counterparts in Australia, Canada, New Zealand, and the United Kingdom to develop a cybersecurity technical report and guidebook to mitigate the Microsoft Active Directory platform’s cyber-attack vulnerabilities.

NSA said that the guidebook, “Detecting and Mitigating Active Directory Compromises,” provides strategies to prevent and detect the most common techniques for malicious AD access.

The 80-page report lists and describes the 17 techniques malicious actors commonly use to target AD and recommends mitigation strategies against cyber threats.

The report identified one cyberattack tactic: password spraying, which seeks authentication through a single or multiple passwords deployed on AD targets. As one security control to help deter password spraying, the guidance suggests long passwords with a minimum of 30 characters for local administrator and service accounts. (Arthur McMiler / ExecutiveGov)

Related: NSA, MSSP Alert, The Stack, Help Net Security, Petri, Security Week, SC Media

The Cybersecurity and Infrastructure Security Agency (CISA) said it plans to revitalize a system for sharing cybersecurity threat information after a government watchdog raised concerns about the program’s recent shortcomings.

The Department of Homeland Security’s Office of the Inspector General published a report on Automated Indicator Sharing (AIS), which was mandated by a 2015 law to spread cyber threat intelligence.

CISA was criticized in the report for steep participation declines and missing information on the program’s funding. 

“The number of participants using AIS to share cyber threat information has declined to its lowest level since 2017. The overall number of AIS participants fell from 304 in CY 2020 to 135 in CY 2022,” the inspector general said. 

“Among other factors, overall participation in AIS declined because CISA did not have an outreach strategy to recruit and retain data producers. Concurrently, sharing of [cyber threat indicators] through AIS declined by 93 percent from CY 2020 to CY 2022.” 

The report notes that the decline in sharing occurred largely “because a key Federal agency” stopped sharing threat intelligence “due to unspecified security concerns with transferring information from its current system to AIS.” (Jonathan Grieg / The Record)

Related: OIG

OT security company Dragos purchased Network Perception, a network configuration startup founded by a University of Illinois research scientist, to improve visibility and offer more robust protection for critical infrastructure.

Dragos said merging Dragos’ real-time network traffic monitoring with Network Perception’s configuration visualization will give organizations a more complete security solution. (Michael Novinson / GovInfoSecurity)

Related: Business Wire

Best Thing of the Day: Stand By for New Ransomware Deliverables

The White House promises "significant, major new deliverables" to address rising ransomware threats at this week's fourth annual International Counter Ransomware Initiative.

Worst Thing of the Day: Realizing Iran Has Been Interfering for Years

The recent spate of US legal actions against Iranian actors for trying to interfere in elections is merely a continuation of interference attempts by the country that date back to 2020.

Closing Thought