Sunday 14th July 2024

Good morning everyone, I hope you're all having a lovely weekend, thank you for joining me for today's edition of Cyber Daily. Let's face it data breaches, ransomware attacks, and software vulnerabilities are becoming the norm, staying informed is your best defence. Today's edition looks into AT&T's massive data breach affecting millions, CDK Global's costly ransom payment, and a critical Exim vulnerability putting over 1.5 million servers at risk.

AT&T Customer Data Breach: What You Need to Know

AT&T has confirmed a significant data breach affecting "nearly all" of its wireless customers and those of mobile virtual network operators (MVNOs) using its network. Between April 14 and April 25, 2024, cybercriminals accessed an AT&T workspace on a third-party cloud platform, stealing call and text interaction records from May 2022 to January 2023.

The compromised data includes:

• Telephone numbers involved in interactions
• Counts of those interactions
• Aggregate call duration
• Some cell site identification numbers

While the content of calls and texts and personal details like Social Security numbers and dates of birth were not exposed, the stolen data can still reveal significant information about communication patterns and locations.

The breach impacts AT&T's MVNO partners, such as Cricket Wireless, Consumer Cellular, and TracFone, among others. AT&T is notifying current and former customers whose data was involved.

Jake Williams, a former NSA hacker, noted the value of the stolen call data records (CDRs) for intelligence analysis. The hackers, part of a group known as UNC5537, are financially motivated and have demanded ransoms between $300,000 and $5 million.

AT&T quickly responded upon discovering the breach on April 19, 2024, collaborating with law enforcement. One suspect, John Binns, has been apprehended. Snowflake, the third-party cloud provider, has enforced mandatory multi-factor authentication (MFA) for all new accounts to prevent future breaches.

AT&T advises customers to be vigilant against phishing and smishing attacks and to verify texts from trusted sources.

CDK Global Pays $25M Ransom After Cyberattack

CDK Global, a major provider of software for car dealerships, reportedly paid a $25 million ransom in Bitcoin following a crippling ransomware attack. The attack led to a two-week outage, disrupting operations for up to 15,000 dealerships, including major chains like Asbury, AutoNation, and Lithia.

• The ransomware, identified as BlackSuit, took CDK's servers offline, halting sales and registrations.
• Sources claim CDK paid the ransom two days after the attack via a third-party firm specialising in cyber-ransom demands.
• TRM Labs tracked a 387 Bitcoin transaction to the ransomware operators.

The attack caused an estimated $600 million in damages to dealerships, far surpassing the ransom amount. Recovery involved restoring from backups and potentially decrypting data, adding to downtime. Sonic Automotive, in a filing with the SEC, mentioned ongoing investigations and incomplete restorations.

Ransomware victims increasingly resist paying ransoms; only 29% did so in late 2023.The attack highlights the massive financial and reputational risks posed by ransomware.

Businesses should bolster cybersecurity measures, maintain robust backups, and develop incident response plans to mitigate such risks.

Exim MTA Vulnerability Puts Over 1.5 Million Servers at Risk

Cybersecurity firm Censys has issued a warning that over 1.5 million Exim mail transfer agent (MTA) instances remain unpatched against a critical vulnerability (CVE-2024-39929) that allows threat actors to bypass security filters.

- CVE-2024-39929: Impacts Exim versions up to 4.97.1.

- Cause: Incorrect parsing of multiline RFC2231 header filenames.

Allows remote attackers to deliver malicious executable attachments by circumventing $mime_filename extension-blocking. If a user downloads or runs these malicious files, their system could be compromised. Censys identified 1,567,109 vulnerable Exim servers, primarily in the US, Russia, and Canada.

Admins unable to immediately upgrade Exim should restrict remote access to their servers to prevent exploitation. It's crucial as Exim is the default MTA for Debian Linux and the most widely used MTA globally, making it a frequent target for cyberattacks.

• Previous Exploits: The NSA revealed in May 2020 that the Russian hacking group Sandworm exploited a similar Exim flaw (CVE-2019-10149) since 2019.
• Recent Patches: In October, Exim developers patched three zero-days, including CVE-2023-42115, which exposed servers to remote code execution (RCE) attacks.

With millions of servers exposed online, prompt patching and stringent access controls are essential to safeguard against these vulnerabilities.