06.01.25 Threat Report

Meta Fined €251 Million for 2018 Data Breach Impacting 29 Million Accounts

Meta Platforms, the parent company of Facebook, Instagram, WhatsApp, and Threads, has been fined €251 million (approximately $263 million) by the Irish Data Protection Commission (DPC). This penalty pertains to a significant data breach in 2018 that exposed the personal data of millions of users worldwide, including around 3 million in the EU and EEA. This incident is a stark reminder of the importance of embedding robust security and compliance processes within systems from the outset.

Incident Details

The breach stemmed from a vulnerability in Facebook's "View As" feature, introduced in July 2017. This flaw allowed threat actors to obtain user access tokens—effectively digital keys—that granted full access to user accounts. Exploiting this, attackers accessed:

• Full names, email addresses, and phone numbers
• Locations, places of work, dates of birth, and religious affiliations
• Gender, group memberships, and timeline posts
• Personal data related to children

Between September 14 and 28, 2018, attackers used automated scripts to access 29 million accounts globally, leveraging the flaw for malicious purposes.

Key Violations of GDPR Articles

The DPC's investigation highlighted failures under four key GDPR provisions:

1. Article 33(3) – Meta failed to include necessary information in its breach notification.
2. Article 33(5) – Inadequate documentation of the incident prevented effective oversight by the supervisory authority.
3. Article 25(1) – Data protection measures were not embedded in the design of Meta’s processing systems.
4. Article 25(2) – Meta did not implement controls to ensure only necessary personal data was processed for specific purposes.

The penalty reflects the severity of failing to integrate privacy by design and highlights the repercussions for organisations that do not prioritise compliance.

Impact Beyond the EU

Meta’s legal challenges extend globally. In Australia, the company agreed to a AU$50 million ($31.5 million) settlement related to the Cambridge Analytica scandal. This separate matter involved the unauthorised use of personal data for political profiling, affecting over 311,000 users indirectly.

Periculo’s Recommendations

1. Embed Privacy by Design and Default: Organisations should ensure data protection is a core element in system development and decision-making processes to prevent vulnerabilities.
2. Perform Regular Penetration Testing: Testing features, especially those involving user permissions, helps identify weaknesses early.
3. Strengthen Incident Response Plans: Compliance frameworks should mandate clear documentation, ensuring effective oversight and timely reporting.
4. User Data Minimisation: Limit the collection and storage of personal information to what is strictly necessary to reduce exposure in case of breaches.
5. Proactive Compliance Audits: Regular internal GDPR compliance checks can highlight areas of improvement before regulatory authorities impose fines.

Spyware Distributed through Amazon Appstore

As smartphones become an indispensable part of our daily routines, threat actors are increasingly using deceptive techniques to infiltrate our devices. One recent case involves a seemingly harmless health app, BMI CalculationVsn, found on the Amazon Appstore. Marketed as a simple BMI calculator, the app was secretly collecting sensitive information, including installed app data and incoming SMS messages. Prompt action by Amazon, following a report by McAfee, led to the app's removal from the platform.

Malicious Functionality Breakdown

Superficial Functionality

On the surface, BMI CalculationVsn presented a single-page interface where users could input their weight and height to calculate their Body Mass Index (BMI). The app's design appeared legitimate and consistent with standard health-related applications.

Malicious Activities Detected

Despite its benign appearance, further investigation revealed the following malicious capabilities:

• Screen Recording: The app initiates a background service that requests screen recording permissions when users click the “Calculate” button. This feature could potentially capture sensitive data, such as gesture passwords and inputs from other applications. However, the analysis indicated that this feature was not yet fully operational, as the recorded MP4 files were not uploaded to the command-and-control (C2) server due to incomplete code implementation.
• Installed App Scanning: The app scans the device for a list of all installed applications. This data could be leveraged to identify high-value targets and plan more advanced, tailored attacks.
• SMS Interception: The app collects all incoming SMS messages, likely to capture one-time passwords (OTPs) and verification codes. The messages are stored in Firebase at the following bucket: testmlwr-d4dd7.appspot.com.

Under-Development Malware

Analysis of the app's structure suggests it is still in development. The Firebase Installation API URL contains the term "testmlwr," indicating the app’s testing phase. Additionally, a timeline review via VirusTotal revealed that the app was initially developed in October 2024 as a screen recording app. Later iterations introduced the BMI calculator interface and added SMS-stealing functionality.

Threat Actor and Distribution

The developer is listed as “PT. Visionet Data Internasional,” a name associated with an Indonesian IT management service provider. This indicates the potential misuse of a legitimate brand name to gain users' trust.

The use of this branding suggests the malware author may have ties to Indonesia or knowledge of the region’s enterprises.

Indicators of Compromise (IoCs)

• Distribution URL:hxxps://www.amazon.com/PT-Visionet-Data-Internasional-CalculationVsn/dp/B0DK1B7ZM5/
• Command-and-Control (C2) Servers / Storage Buckets:hxxps://firebaseinstallations.googleapis.com/v1/projects/testmlwr-d4dd7hxxps://6708c6e38e86a8d9e42ffe93.mockapi.io/testmlwr-d4dd7.appspot.com
• Sample Hash:8477891c4631358c9f3ab57b0e795e1dcf468d94a9c6b6621f8e94a5f91a3b6a

Periculo’s Recommendations

1. Use Trusted Security Solutions: Install reputable antivirus and mobile security applications to detect and block spyware before it can cause harm.
2. Review Permissions: Pay close attention to permission requests during app installation. Deny any requests unrelated to the app’s advertised function (e.g., a BMI calculator requesting access to SMS and screen recording is highly suspicious).
3. Monitor Device Performance: Watch for signs of malicious activity, such as reduced performance, increased battery drain, or spikes in data usage. These indicators could suggest spyware is running in the background.
4. Verify App Sources: Only download apps from official, trusted app stores and review app permissions, ratings, and developer details carefully.
5. Incident Response Plan: Ensure your organisation has an incident response strategy that includes mobile threat detection and mitigation to quickly contain spyware infections.

This incident highlights the evolving threat landscape in the mobile app ecosystem. Even seemingly harmless utilities, such as health apps, can serve as vectors for spyware. By remaining vigilant and implementing robust security practices, both individuals and organisations can better protect sensitive data from emerging threats.

Telemetry Data from 800,000 VW Group EVs Exposed Online

In yet another instance of cloud mismanagement, Volkswagen Group subsidiary Cariad inadvertently exposed telemetry data from approximately 800,000 electric vehicles (EVs) due to poorly secured web applications. According to reports from Der Spiegel, the breach exposed sensitive vehicle and driver data across VW brands, including VW, Seat, Audi, and Skoda.

Details of the Incident

Cariad, tasked with developing VW Group’s software platform for EVs, left internal application data accessible via unsecured web subpages. A whistleblower identified a memory dump file containing sensitive credentials and shared the information with Der Spiegel and the Chaos Computer Club (CCC).

• Key Findings:AWS Cloud Storage Access: Credentials to an Amazon Web Services (AWS) server storing telemetry data were exposed.Vehicle Telemetry Data: The dataset included information such as battery levels, inspection status, vehicle on/off status, and precise geolocation data.Tracking Accuracy: For nearly half of the affected EVs, geolocation data was precise to within 10 centimetres, providing detailed tracking information.Driver Identification: Access credentials also led to personal information, such as driver names, contact details, and fleet manager information, enabling the potential for significant privacy violations.

Breach Response

The Chaos Computer Club reported the vulnerability to Cariad, which promptly secured the exposed data. According to the CCC, there is no evidence to suggest that unauthorised parties other than researchers accessed the data. VW Group has not indicated that customers need to take any action at this time.

Periculo’s Analysis and Recommendations

This incident reinforces the critical need for robust cloud security measures in the automotive and IoT sectors. Below are Periculo’s key recommendations:

1. Conduct Routine Cloud Configuration Audits: Perform regular reviews of cloud infrastructure to detect misconfigurations and eliminate public access to sensitive internal applications.
2. Enforce Credential Hygiene: Avoid storing access credentials in application dumps or unsecured subpages. Implement secure secrets management tools to protect sensitive credentials.
3. Implement Zero-Trust Architecture: Restrict access based on roles and implement multi-factor authentication (MFA) to prevent unauthorised access, even if credentials are exposed.
4. Data Minimisation: Limit the type and precision of telemetry data collected and stored to reduce privacy risks if a breach occurs.
5. Comprehensive Logging and Threat Detection: Enable logging to monitor unauthorised access attempts and deploy threat detection solutions to identify anomalies in cloud access.
6. Incident Response Drills: Conduct breach simulation exercises that include cloud service failures to improve organisational readiness and response times.

Implications of Cloud Mismanagement

This case highlights the privacy risks of unsecured cloud resources and the potential reputational damage organisations face. For consumers, the possibility of having personal driving routes and geolocation data exposed raises serious concerns about surveillance and targeted attacks.

The VW Group incident serves as a caution for organisations that rely on cloud platforms to store and process sensitive telemetry data. Implementing robust cloud security practices and adopting proactive monitoring can significantly reduce the risk of data exposure.

Atos Denies Space Bears' Ransomware Claims – with a ‘But’

French IT giant Atos has denied claims by the Space Bears ransomware group that its systems were breached. However, Atos has acknowledged that an unrelated third-party infrastructure containing data referencing the company’s name was compromised. This incident raises concerns about supply chain vulnerabilities and the impact of third-party breaches on larger organisations.

Incident Details

• Initial Claims: On December 28, 2024, the Space Bears ransomware group listed Atos on its leak site and set a deadline of January 7 for the company to comply with ransom demands or risk a public data dump.
• Atos' Response: Atos issued a statement on January 3, calling Space Bears' claims "unfounded" and asserting:No Atos-managed infrastructure was breached.No proprietary data, source code, or intellectual property was accessed.No ransom demand had been received by Atos.
• Concession of Third-Party Breach: Atos later clarified that the ransomware gang had indeed compromised external third-party infrastructure containing data mentioning Atos. However, this infrastructure was not managed, owned, or secured by Atos.
• Unanswered Questions: Atos has not disclosed who owns the third-party infrastructure, whether it is an Atos supplier, or if the exposed data includes sensitive customer information.

Implications of Third-Party Breaches

This incident highlights the growing threat posed by supply chain vulnerabilities:

• Indirect Compromise: Even when an organisation’s internal systems are secure, breaches at third-party vendors or partners can still expose sensitive data.
• Brand Reputation Risks: Data with Atos’ name appearing in a breach—even if unrelated—could damage customer trust and raise concerns about overall cybersecurity practices.
• Potential Data Sensitivity: If the third-party breach involved client-related information, this could elevate regulatory and reputational risks.

Periculo’s Recommendations

1. Conduct Third-Party Risk Assessments: Regularly evaluate the security posture of vendors and partners to identify weaknesses in their systems and processes.
2. Implement Strong Third-Party Access Controls: Limit data-sharing and ensure that vendors accessing company-related data comply with robust security measures and standards.
3. Adopt a Zero-Trust Supply Chain Model: Enforce strict access permissions and monitor third-party access in real time. Assume that external networks may be compromised and segment sensitive data accordingly.
4. Ensure Breach Reporting Clarity: Develop clear communication strategies to ensure transparency with customers and stakeholders during third-party incidents to maintain trust and manage reputational damage.
5. Supply Chain Threat Intelligence: Proactively gather and act on threat intelligence related to known ransomware groups like Space Bears to understand potential risks and mitigate threats before they escalate.

The Atos and Space Bears incident highlights how third-party breaches can impact organisations even when their own systems remain secure. In the era of interconnected digital ecosystems, securing internal systems is only one piece of the puzzle—third-party risk management is equally critical.

Stay ahead of emerging cyber threats with real-time insights from Periculo’s Weekly Threat Feed. Our updates provide you with critical information on the latest vulnerabilities, attacks, and security trends—all designed to help you protect your business and make informed decisions.

Sign up now to receive expert threat intelligence straight to your inbox and stay one step ahead of potential risks.

Your first line of defence starts with staying informed.