Microsoft Source Code Exposed, T-Mobile Breach, Whirlpool Ransomware Attack

SecurityMetrics News Episode 2

In this SecurityMetrics News episode, Heff and Forrest analyze recent cybersecurity news, including the recent Microsoft source code leak, the T-Mobile breach, Whirlpool ransomware attack, updates on the alarming Solarwinds breach, and a review of all the nasty breaches recorded in 2020. They dive in to help you understand the attacks and give tips to avoid data breaches at your organization.

Matthew Heffelfinger - (Director of SIEM Operations, GSTRT, CyRP (Pepperdine), GRCP, SSAP, ITIL4-F, GISF, PECB) Forrest Barth - (SOC Analyst, CISSP, CMNO, Security+)

Microsoft Source Code Exposed

As a SolarWinds customer, Microsoft is performing an ongoing investigation into their network, looking for “indicators of the Solorigate actor.” They found no indications that production services or customer data was accessed. They also found no evidence of the “common TTPs (tools, techniques and procedures) related to the abuse of forged SAML tokens.”

However, while investigating, they noticed unusual activity which led them to discover that an internal account had been used to view source code in a number of repositories. The accounts were investigated and remediated. 

What we know and can learn:

• Microsoft is a large and appealing target, especially for advanced attackers. 
• Source code leaks are worrisome for businesses who use Microsoft; they rely on source code secrecy. 
• Attackers did not edit or change source code. 
• We don’t know where the affected source code was or if it impacted microservices, APIs, libraries, or SDKs. 
• This kind of attack helps threat actors do many things (e.g., write rootkits.)

Over 20 billion records breached in 2020 

In December, there were 134 reported security incidents and 148,354,955 breached records, bringing the 2020 total to over 20 billion. This is the highest number of publicly reported incidents ever. Incidents in 2020 include: 

• T-Mobile Data Breach: In its fourth reported data breach in three years, T-Mobile notified customers in December that they discovered “malicious, unauthorized access” to customer proprietary network information. The information did not include customer names, financial data, or identifying information, but is still considered sensitive in nature. The breach affected 200,000 accounts and was quickly shut down after identification. 
• Whirlpool Ransomware Attack: Hacking group Nefifilm is claiming responsibility for malware found on Whirlpool’s systems. While Whirlpool reports that the malware was discovered, contained, and found to result in no data exposure or operational disruptions, Nefifilm claims to have stolen data from Whirlpool and has posted that, “Whirlpools [sic] cybersecurity is very fragile, which allowed us to breach their network for the second time after they stopped the negotiations.”
• Payment processor JusPay: JusPay processes payments for companies like Amazon and Swiggy. Hackers exploited an old, unrecycled AWS key which resulted in the exposure and sale of around 35 million payment and personal records. 

SolarWinds Breach Deep Dive

• It appears attackers in the SolarWinds breach were able to access the software development and delivery pipeline. 
• Tactics include avoiding major damage to systems and staying beneath the radar as much as possible. 
• Copycat attacks are likely to follow. 

Cybersecurity news and updates

• The US Department of the Treasury and the FDIC have proposed a rule which would require banks to notify their regulators of a “computer security incident” within 36 hours. 
• More supply chain attacks, including those targeting Vietnamese government agencies and COVID-19 vaccine distribution. 
• Ransoms demanded from cyber attackers continue to rise.
• Mandatory WhatsApp updates allow user data to be shared with Facebook.