T-Mobile US hacked, Monero wallet app infected, public info records on 1.2bn people leak from database...
...OnePlus also compromised, and much more
Roundup Time for another roundup of all the security news that's fit to print and that we haven't covered yet.
T-Mobile US says hackers broke into customer info
T-Mobile US prepaid account holders got unwelcome news this week when their wireless carrier admitted on Friday it was compromised by miscreants who would have been able to ogle more than a million customers' personal information.
Exposed details include name, billing address, account number, and mobile plan types. T-Mobile notes that, at least, no bank card info was exposed.
"Our cybersecurity team recently discovered and shut down unauthorized access to some customer information, including yours, and promptly reported it to authorities," it says. "No financial data (including credit card information) or social security numbers were involved, and no passwords were compromised."
Given the rise in SIM-swapping attacks, however, those details could still be extremely useful to a criminal who is looking to con support staff into switching an account over to a new SIM card, thus giving them control of the number and all connected accounts.
Bad Binder breakdown
Over on the Google security blog, exploit-tracker Maggie Stone has written a detailed dissection of an Android security hole known as Bad Binder aka CVE-2019-2215. It is a use-after-free() flaw in the kernel that allows an attacker to escape the Chrome sandbox and take over the target device.
"The bug is a local privilege escalation vulnerability that allows for a full compromise of a vulnerable device," Stone said. "If chained with a browser renderer exploit, this bug could fully compromise a device through a malicious website."
Indeed, it was exploited by the NSO Group's Pegasus mobile spyware in the wild to hijack gadgets, we understand.
Louisiana hit by ransomware outbreak
Just days after holding a hotly contested election, the US state of Louisiana fell victim to a ransomware attack that led Governor John Bel Edwards to activate the state cybersecurity response team and temporarily shut down some government services, including the state department of motor vehicles.
It looks like the damage was not too serious, and there was no connection to the election results.
Malware sneaks into official Monero wallet build
A brief but serious compromise of the Monero crypto-coin website resulted in official downloads of the project's wallet app being infected with malicious code.
The legit builds were switched out for the shady versions, and remained available for 35 minutes on Monday before being taken down. Users who downloaded and installed the software are advised to check the hashes of their applications with the hashes on the site, and get a new, clean copy of the software if needed. Although the attack was fairly brief, it's massively concerning crooks were able to perform the switch in the first place: the malicious code was seemingly designed to siphon money from the wallets.
Also, the compromise was noticed when the hashes of the dodgy builds did not match the hashes published on the site. Always. Check. The. Hashes.
In brief... US House of Reps OK'd a short-term government funding bill that quietly reauthorized three Foreign Intelligence Surveillance Act (FISA) authorities set to expire in December. It won't be law until the senate approves it... Jeanette Manfra, a top official within the US Homeland Security’s cyber wing, said on Thursday she will leave her position at the end of the year. This comes as the cybersecurity team at the White House reportedly quit this week... Google also expanded its Android bug bounty program to include a top prize of $1m.
Roboto botnet examined
The team at Qihoo 360 Netlab has posted a deep dive into a peer-to-peer botnet known as Roboto. The malware seems to have DDoS capabilities, but the team can't say for sure exactly what its purpose is yet.
1.2 billion people's records exposed
The team at DataViper has discovered yet another inadvertently wide-open public-facing Elasticsearch instance filled with personal information, this one purportedly with information on 1.2 billion people. Don't get too worked up, though, all of the information looks to have already been public. It's not not nice having it all under one roof for miscreants to mine. There were no password protections on the database, which has since been taken down.
The silo included things like names, email addresses, phone numbers, and LinkedIn and Facebook profile details.
Ryuk bites vets
Some 400 veterinarian offices in America were hit with ransomware after the network of National Veterinary Associates was infected by Ryuk. The biz itself has recovered, but some individual customers are still working to get their files back.
US Senate green-lights $250m electric grid security fund
The US Senate's Natural Resources Committee has advanced a bill that would earmark a quarter of billion dollars for electric grid security.
The proposed Protecting Resources on the Electric Grid with Cybersecurity Technology law will now head to the floor for a full vote. If passed by both sides of Congress, it would run from 2020 through 2024.
OnePlus warns of breach
Smartphone builder OnePlus has notified punters it has once again been relieved of some of their personal details. No payment card data nor social security numbers nor passwords were lifted by miscreants who broke into the outfit's systems, apparently, though the company is still expecting some of the info to be weaponized.
"We can confirm that all payment information, passwords and accounts are safe, but certain users' name, contact number, email and shipping address may have been exposed," OnePlus told folks. "Impacted users may receive spam and phishing emails as a result of this incident."
Intel warns of VM crashes
A recently-posted technical document from Intel warns that a number of its more recent processors are subject to a vulnerability that can be triggered by malicious virtual machines and operating systems. If exploited, CVE-2018-12207 could allow a guest OS on a host server to crash the underlying physical machine.
Uber unveils in-car recording scheme
Uber says it is testing a program that will allow riders and drivers to record conversations during journeys for, apparently, safety reasons. According to the Washington Post, the first pilot programs will be run in Latin America, and if they are successful will move to the US, where they will no doubt face scrutiny over privacy and data security concerns.
Sandworm crew spied on Android phones
The Russian government's Sandworm hacker gang targeted foreign officials using Android malware that masqueraded as a pair of Korean-language apps and later a Ukranian-language app, according to Google eggheads. All three strains of the spyware slipped into the official Play store before being spotted and removed. ®