Infosec in brief T-Mobile has had another bad week on the infosec front - this time stemming from a system glitch that exposed customer account data, followed by allegations of another breach the carrier denied.

According to customers who complained of the issue on Reddit and X, the T-Mobile app was displaying other customers' data instead of their own - including the strangers' purchase history, credit card information, and address.

This being T-Mobile, people immediately began leaping to the obvious conclusion: another cyber attack or breach.

"There was no cyber attack or breach at T-Mobile," the telco assured us in an emailed statement. "This was a temporary system glitch related to a planned overnight technology update involving limited account information for fewer than 100 customers, which was quickly resolved."

Note, as Reddit poster Jman100_JCMP did, T-Mobile means fewer than 100 customers had their data exposed - but far more appear to have been able to view those 100 customers' data.

As for the breach, the appearance of exposed T-Mobile data was alleged by malware repository vx-underground's X (Twitter) account. The Register understands T-Mobile examined the data and determined that independently owned T-Mobile dealer, Connectivity Source, was the source - resulting from a breach it suffered in April. We understand T-Mobile believes vx-underground misinterpreted a data dump.

Connectivity Source was indeed the subject of a breach in April, in which an unknown attacker made off with employee data including names and social security numbers - around 17,835 of them from across the US, where Connectivity appears to do business exclusively as a white-labelled T-Mobile retailer.

Looks like T-Mobile really dodged the bullet on this one - there's no way Connectivity Source employees could be mistaken for T-Mobile staff.

T-Mobile has already experienced two prior breaches this year, but that hasn't imperilled the biz much - its profits have soared recently and some accompanying sizable layoffs will probably keep things in the black for the foreseeable future.

Warning: That PoC might contain more than you bargain for

There are plenty of reasons why security researchers publish proof of concept (PoC) code for the vulnerabilities they discover, but some ingenious malware actor has figured out PoCs are also a clever way to distribute malware.

Researchers from Palo Alto Networks' Unit 42 said they've discovered a fake PoC for a remote code execution vulnerability in WinRAR that was identified on August 17. Only four days after the Zero Day Initiative disclosed the vulnerability a fake PoC was uploaded to GitHub by a threat actor using the alias "whalersplonk."

The fake PoC script was based on another PoC that exploited an SQL injection vulnerability with the ultimate goal of installing the VenomRAT malware.

Unit 42 said it's unlikely whalersplonk specifically targeted security researchers, and likely aimed to compromise other threat actors who take advantage of new PoCs. "Based on a timeline of events, we believe the threat actor had created the infrastructure and payload independently from the fake PoC. Once the vulnerability was publicly released, the actors acted quickly to capitalize on the severity," Unit 42 explained.

Regardless, watch what you download.

Ransomware: Only getting worse, if insurance is a metric

Cyber insurance firm Coalition has released a mid-year look at the state of cyber security insurance, and found an increase in claims.

"The cyber threat landscape has become more volatile, and, as a result, we've seen claims become more severe and more common than ever," said Chris Hendricks, head of Coalition incident response.

Hendricks isn't kidding. Coalition reports that it saw a 27 percent year-over-year increase in the first half of 2023 in the number of ransomware claims, and said the severity of those claims increased by 61 percent in the same period, and 117 percent over the past year.

Ransom demands are up too, with the average demand being reported by Coalition clients up to $1.62 million (£1.3m) - a 47 percent increase over the past six months, and a 74 percent year-over-year increase.

This squares with data from other sources that have reported considerable rises in ransom demands over the past year. Unfortunately, with insurance firms willing to negotiate ransom payments, said payments are continuing, making the likelihood cyber criminals keep using the tactic all the greater.

So stop paying your ransoms - along with Hendricks's advice to "take an active role in improving … security defenses and make risk management a top priority."

Sophos warns of rise in pig butchering liquidity mining scam

Security software outfit Sophos warned last week that a variant of the common pig butchering scam targets liquidity mining of cryptocurrency.

One ring of pig butcherers Sophos uncovered operated out of 14 domains and net over $1 million in only three months.

An example of the con included a victim who was lured to a scammer on an online dating app. The victim was convinced to participate in an (unbeknownst to them) fake liquidity pool he believed would provide a percentage of any fee paid when a trade was made, using a legitimate cryptocurrency app, Trust Wallet.

However, to join the pool, he had to give permission to another account to access his wallet to facilitate trade. Someone subsequently abused that trust and siphoned off the victim's money.

Pig butchering scams got their rise in China before becoming a global nuisance. In the case Sophos outlined, the scammer pretending to be a love interest would sometimes accidentally and suspiciously respond to the victim in Chinese.

"What makes these sorts of scams particularly tricky is that they don't require any malware to be installed on a victim's device. They don't even involve a fake app, like some of those we've encountered in other CryptoRom scams. This entire fake liquidity pool was run through the legitimate Trust Wallet app," said Sophos researcher Sean Gallaher in a canned statement.

The researcher explained that while these scams were once rare, the security outfit is now seeing more than 500 fraudulent liquidity pool sites.

"Very few understand how legitimate cryptocurrency trading works, so it's easy for these scammers to con their targets. There are even toolkits now for this sort of scam, making it simple for different pig butchering operations to add this type of crypto fraud to their arsenal," said Gallagher. - Laura Dobberstein ®

https://www.theregister.com//2023/09/25/tmobile_exposes_some_customer_data/