Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Telecom. Show all posts
Ukrainian Hackers
Cyber Attacks Cyber Warriors CyberCrime Cybersecurity Cyberthreats Data Center Internet Services Russian Military Telecom Ukrainian Hackers

Under Siege: Ukrainian Cyber Warriors Erase Vital Russian Military Data Center

 


On April 8 of this year, sources in the Ukrainian Security Service of Ukraine (SBU) told the Kyiv Independent that Ukrainian hackers, possibly linked to the SBU, destroyed a data centre used by Russian military, energy, and telecommunications companies. In a recent attack, Ukrainian hackers connected to the SSU cyber department destroyed a data centre belonging to a Russian industrial giant. 

They included Gazprom, Lukoil, Telecom and some of the leading military companies in the country. Sources have stated that more than 10,000 entities involved in the Russian military industry have stored their data in OwenCloud.ru cloud services, which the hackers targeted. 

A number of these companies, including Ural Works of Civil Aviation, Rubin, Ural Plant Spectechniks, Gazprom, Transgaz, Lukoil, Rosneft, Nornickel, Rostelecom, or MegaFon, reportedly make up this group: the oil and gas industry, the metallurgical and aerospace industry, as well as major telecommunication giants. 

A source stated that over 300 TB of data were taken out of circulation on 400 virtual and 42 physical servers. This operation involved the Ukrainian hacking group BLACKJACK and the cyber division of the Ukrainian Security Service. In addition to internal documents and backups, these servers had software used to manage production processes remotely, according to a source. 

The OwenCloud.ru website, at the moment of publication, displays what is alleged to be a message left by a group called Blackjack, stating that the centre's "information technology infrastructure has been destroyed." The Ukrinform news service reports nearly 4,500 cyberattacks on Ukraine are carried out by Russian hackers every year. Kyivstar was attacked by a powerful hacker on December 12, 2023, which caused the company to experience a technical breakdown.

Communication and internet services stopped working. It is estimated that around 16,000 Russian companies are affected by the strike, such as Lukoil, Rosneft, The Ural Works of Civil Aviation (which is part of the Roselectronika holding), Ural Special Equipment Plant, Gazprom, Transgaz, Norilsk Nickel, Rostelecom, Telecom, and Megafon. As a result, the source asserted that OwenCloud.ru is hosting over 10,000 legal entities, including the military-industrial sector, oil and gas industry, metallurgical and aerospace companies, and telecommunication giants. 

It was reported that the hack affected various organizations, such as companies in the oil and gas and telecommunications sectors and the country's military. In the Kyiv Independent report, there was a list of victims that included Ural Works of Civil Aviation, Rubin, Ural Plant Spectechniks, Gazprom, Transgaz, Lukoil, Rosneft, Nornickel, Rostelecom, and MegaFon, among others. 

The source of NV's report revealed on March 18 that Ukrainian hackers were able to access correspondence between Russian CEC member Nikolai Levichev and Boris Nadezhdin, a candidate in the so-called presidential election. As a result of being denied registration as a presidential candidate, Nadezhdin actively contacted representatives of the Russian Central Election Commission and resolved personal and political issues, including addressing the refusal of the Russian Central Election Commission. 

According to the hacker group, this suggests that a "fake presidential candidate" is at play. Ukrainian hackers are known for regularly stealing information about Russian websites, payment systems, and state-owned companies. Thousands of Russian organizations were accessed by Ukrainian hackers in January, and 200 gigabytes of data was obtained. 

A Russian state-owned company that builds military facilities across the entire Russian territory has also been crashed by the BLACKJACK hacker group. They have also stolen documentation for 500 military facilities maintained by the Russian Ministry of Defense. On the servers of the Russian Ministry of Defense, a DDoS attack was launched by hackers from the Defense Intelligence Department.
Read more »
Telecom
Cyberattack CyberCrime Cybersecurity Data protection DSCI NASSCOM Privacy Telecom

Privacy Act Compliance Staggered, NASSCOM Seeks Collaboration

 


During its representation to the government, Nasscom, the leading industry body in the sector, suggested that the Ministry of Electronics and Information Technology need to consider different deadlines for compliance with the upcoming rules on data protection and protection of personal information. 

As a result of discussions with the industry, Nasscom stated that organizations that do not have any prior experience with data security, including governments, logistics companies, professionals, offline retailers, research institutes, and schools, would need to start from scratch if they wish to implement a compliance program. These will be the most time-consuming and time-consuming tasks as they will be the most necessary. 

According to industry organizations NASSCOM and the Data Security Council of India (DSCI), there needs to be a minimum compliance period of 24 months from the date of notification of any obligation, standard, code of practice or rule. 

As part of their submissions to the Joint Parliamentary Committee on the Personal Data Protection Bill, both organizations pointed out that such a period will be required. It was reported that Nasscom has partnered with companies in the e-commerce, financial, healthcare, and other industry sectors. The report explained that the compliance programmes would need to be adapted to account for the new obligations (e.g., rights as to personal data) that will apply to all types of digital personal data. 

As the Ministry of Electronics and Information Technology (MeitY) said on Friday, it is likely that organisations without any experience in privacy-related legislation, such as the Digital Personal Data Protection Act (DPDPA), will have the most difficulty complying with the new law. 

The observation made by Nasscom came as a part of a representation made to MeitY describing how the DPDPA can be effectively implemented. There were questions about the full scope of the Act, and the agency requested clarification and guidance on it. 

The Data Protection Authority (DPA) will also need to be formed within a set period that must also be defined in the legislation. There must be additional time given to those companies that are handling the data of foreign nationals so that they may renegotiate their international contracts when the bill is passed. To clarify the extent to which the proposal could be applied extraterritorially, examples must be provided. 

A very important aspect of the Indian regulatory landscape is NASSCOM, one of the key industry groups. A data protection body called the DSCI has been set up in India to focus on the protection of data. Ashwini Vaishnaw, the IT minister of India, has recently stated that the government does not intend to allow companies to comply with the Act within 12-18 months. Is it reasonable to expect the protection of personal data to take so much time? Since the introduction of the GDPR and the Singapore Data Protection Act, the entire industry is already accustomed to it as a result of [the European Union's] GDPR and others. In effect, since they were enacted," he said. He also mentioned that regarding the 25 sets of rules to be adopted to implement the DPDP Act, they would be released in one shot and everyone would be notified at the same time. 

Vaishnaw had also commented that the draft rules would be made public for 45 days for public consultation. In their request, Nasscom pointed out that generally, 30 days are allotted for the public to comment on each set of rules. As a result, Nasscom requested MeitY to give a period that is sufficiently long for the public to comment. 

The idea, as mentioned by Nasscom, is not merely to indirectly create new rules, but rather to provide comprehensive clarification on how the central government is interpreting these sections. This clarification aims to identify the best practices and international reference points that can confidently be applied to the Indian context. 

By doing so, it will not only avoid redefining statutory provisions or constraining the (Data Protection) Board or the Telecom Disputes Settlement and Appellate Tribunal, but also ensure that the interpretation of key terms and concepts, such as "purposes of employment", "voluntary provision of personal data", "technical and organisational measures", "security safeguards", "detrimental effect on the well-being of a child", and "erasure" under the Act, are clearly defined and understood. This guidance will enable stakeholders to navigate the complexities of data protection with greater clarity and confidence.
Read more »
Telecom
Artificial Intelligent Cyber Security Cyberattack CyberCrime HTTPSnoop malware Telecom

Cybersecurity Alert: HTTPSnoop Malware Infiltrates Telecom Giants

 


Cyberattacks against telecommunication service providers in the Middle East have been carried out with the use of new malware called HTTPSnoop and PipeSnoop, which allow cybercriminals to remotely control the devices infected with this malware. 

They have also found a companion implant to HTTPSnoop, known as PipeSnoop, which is capable of accepting shellcode from a named pipe and executing it on the infected endpoint by sending it to an open socket. These findings confirm that the two implants belong to a new group of intrusions called 'ShroudedSnooper' that Cisco Talos has deemed highly likely to belong to its new set of intrusions. 

According to a report by Cisco Talos, the two implants belong to the same intrusion set named 'ShroudedSnooper' but serve different operational goals in terms of the level of infiltration. "The backdoor HTTPSnoop is a simple, yet effective backdoor built into the Windows operating system by using a novel technique that interfaces with the HTTP kernel drivers and devices to listen to incoming HTTP(S) requests and execute the content on an infected machine. 

According to Cisco Talos in a report shared with The Hacker News, HTTPSnoop is a simple but effective backdoor. It is also important to note that a sister implant, codenamed PipeSnoop, is also part of the threat actor's arsenal, as this implant is capable of accepting arbitrary shellcode from a named pipe and executing it on the infected machine. 

To get an initial foothold into target environments, ShroudedSnooper is said to exploit internet-facing servers and use HTTPSnoop as its first step. Both malware strains are impersonating components of the Palo Alto Networks Cortex XDR application ("CyveraConsole.exe"), thereby evoking the credibility of Palo Alto Networks. 

PipeSnoop The Cisco Security Research Center first detected the PipeSnoop implant back in May 2023. This implant appears to act as a backdoor to Windows IPC (Inter-Process Communication) pipes, which are used to send shell codes to breached endpoints. Unlike HTTPSnoop, which appears to target servers that are visible to the public, PipeSnoop appears more suitable for exploiting compromised networks deep within, as opposed to the public-facing servers that HTTPSnoop seems to target. 

The Cisco engineers note that the implant requires a component that provides the shell code in order to function properly. Despite this, the firm's analysts still haven't been able to pinpoint where the malware is located. The telecommunications industry often becomes a target of state-sponsored threat actors as they run critical infrastructure within their networks and relay extremely sensitive information to a wide range of customers, as well as being targets of state-sponsored threats.

Due to the recent escalation of state-sponsored attacks against telecom entities, it is imperative that enhanced security measures are put in place as well as international cooperation in the fight against cyber-attacks. Moreover, the researcher who published the post detailed that both HTTPSnoop and PipeSnoop were found masquerading as attributes of the application Cortex XDR from Palo Alto Networks in a post. 

'CyveraConsole[dot]exe' is the executable that contains the Cortex XDR agent for Windows in the malware. That application is referred to as the malware executable, to give it its full name. The researchers, who released Cortex XDR v7.8 on Aug. 7, 2022, stated that the product would be decommissioned on April 24, 2023, as soon as it became available for download. 

The threat actors could, therefore, have operated this cluster of implants during the periods mentioned above, implying that they were used by them at the time. It has been observed that there are three different kinds of HTTPSnoop variants available at the moment. 

There is a method used by the malware in which it detects incoming requests matching predefined URL patterns, and then extracts the shellcode to execute on the user's computer by using low-level Windows APIs. The HTTP URLs used in this attack are imitative of the ones used by Microsoft Exchange Web Services, OfficeTrack, and provisioning services linked to an Israeli telecommunications company and attempt to encode malicious traffic in such a way that it is nearly impossible to detect them. 

"Several state-sponsored actors, as well as sophisticated adversaries, have been alleged to have been targeted telecommunications organizations around the world over the last couple of years. In 2022, Talos IR engagements consistently targeted this vertical as one of the top-targeted verticals in its investigation of telecommunications companies. 

Typically, telecommunication companies are high-profile targets for adversaries who are looking for the chance to cause significant damage to critical infrastructure assets. They control a considerable number of critical infrastructure assets.

In many cases, these institutions are the backbone of national satellite, internet, and telephone networks, which are heavily relied upon by both the private and public sectors.  The authors noted that telecommunications companies can also act as a gateway for adversaries to gain access to other businesses, subscribers, or third-party providers, such as banks and credit card companies. 

Moreover, Cisco Talos stated that Middle-Eastern Asian telecommunications companies are also frequently targeted by cybercriminals. The Clearsky cybersecurity firm disclosed in January 2021 that the "Lebanese Cedar" APT was targeting telecommunication companies in the U.S., the U.K., and the Middle East of Asia using web shells and RAT malware families, leveraging web shells and explosive malware. 

It was also found that the MuddyWater APT targeting South Asian telecommunication companies, which used web shells to transfer script-based malware to an Exchange Server as well as dual-use tools to perform hands-on keyboard attacks, was a separate campaign Symantec mentioned. 

Earlier this year, Cisco Talos researchers identified two vulnerabilities in WellinTech's KingHistorian ICS data manager which would lead to an attempt to exploit one of these vulnerabilities. Talos tested the software and confirmed that these vulnerabilities could be exploited by the well-known people behind WellinTech. 

The ClearSky network discovered, in January 2021, that a set of attacks had been orchestrated by the Lebanese Cedar organization aimed at telecom operators in the United States, the United Kingdom, and Middle Eastern Asia. In December of the same year, Symantec, owned by Broadcom, disclosed that the MuddyWater (also known as Seedworm) threat actor was launching a spying campaign against telecom operators in the Middle East and Asia. 

It has also been reported that other adversarial collectives have also been involved with attacks against telecommunication service providers in that region over the past year, such as BackdoorDiplomacy, WIP26, and Granite Typhoon (formerly Gallium).
Read more »
telecommunications
Cyber Crime ISP Linux SentineLabs Telecom telecommunications

Metador APT is Lurking ISPs and Telecom Entities

Researchers at SentinelLabs have discovered a threat actor identified as Metador which primarily targets universities, ISPs, and telecommunications in various Middle Eastern and African nations.

SentintelLabs researchers dubbed the organization Metador after the phrase 'I am meta' that exists in the malicious code as well as the fact that the server messages are often in Spanish. As per the findings revealed at the first-ever LabsCon security conference, the group is thought to have started operating in December 2020, but throughout the past few years, it has managed to remain undetected. 

SentinelLabs senior director Juan Andrés Guerrero-Saade claimed that despite sharing information on Metador with experts at other security companies and government partners, no one was aware of the group.

SentinelLabs researchers found Metador in a Middle Eastern telecommunications business that had been hacked by roughly ten threat actors, including Moshen Dragon and MuddyWater, who all hail from China and Iran. Metador's goal appears to be long-term espionage inventiveness. 

Along with two incredibly complex Windows-based viruses  "metaMain" and "Mafalda," that the gang uses – there are clues of Linux malware, according to the researchers at SentinelLabs.

The attackers loaded both malware into memory and decrypted it using the Windows debugging tool "cdb.exe."

Mafalda is a versatile implant that can support up to 67 commands. Threat actors have regularly updated it, and the more recent iterations of the threat are heavily disguised. The attacker can maintain a persistent connection, log keystrokes, download and upload arbitrary files, and run shellcode thanks to the robust feature set of metaMain, which is used independently.

Mafalda gained support for 13 new commands among two variations that were produced in April and December 2021, adding possibilities for credential theft, network espionage, and file system manipulation. This is proof that Mafalda is being actively developed by its developers.

Attack chains have also included unidentified Linux malware that is used to collect data from the infected environment and send it back to Mafalda. The intrusions' entrance vector has not yet been identified.

Running into Metador is a serious reminder that another category of threat actors still operates covertly and without consequence. Security product creators should seize the chance to actively design their products to keep an eye out for the most sophisticated, well-funded hackers.



Read more »
Ukraine
CERT-In Hacking Russian Cyber Security Sandworm Telecom Ukraine

Russia- Linked Sandworm Enacted Ukrainian Telecoms for Injecting Malicious Code


It was discovered that a Russian-based hacker known as Sandworm, impersonating Ukrainian telecommunications, targeted its entities and injected malware into them, leading to software infections throughout the country. 
 
The Sandworm is a group of hackers that are closely connected with the foreign military intelligence service of the Russian government called the GRU as a military unit 7445. It is an Advanced Persistent Threat (APT) group, which was responsible for several cyberattacks including on Ukrainian energy infrastructure. 
 
The recorded future was spying over the operations of government as well as private sectors. As per the report of “recorded future”, the rise in activities of Sandworm has been noticed since August 2022, tracked by the Computer emergency response team of Ukraine (CERT-UA). It is obvious from the frequency with which the Sandworm has been observed employing DNS domains for control and command infrastructure that it is a ruse to attack Ukrainian computers. 
 
Recorded Future further added in the report that, the APT group found a new infrastructure of UAC-0113, which imitates the operators such as Datagroup, and EuroTrans Telecom, which were responsible for placing DarkCrystal RAT, previously. 
 
The Recorded Future’s report entails “Identified staging infrastructure continues the trend of masquerading as telecommunication providers operating within Ukraine and delivers malicious payloads via an HTML smuggling technique that deploy Colibri Loader and Warzone RAT malware.” 
 
This new infrastructure of Advanced persistent threat group UAC-0113 distributed the commodity malicious ISO Colibri Loader and Warzone RAT by using HTML smuggling. This smuggling technique uses legalized features of HTML and JavaScript to inject malicious codes under security controls. 
 
The super-hacker team of Russia, Sandworm, is popularly known for its cyberattacks on the Ukrainian electrical grid in 2015 and 2016. In further research, it was also found responsible for the dropping of a botnet known as “Cyclops Blink”, which subjugated internet-connected firewall devices, etc from WatchGuard and ASUS. 
 
This APT group had also captured U.S. software under its cyberattacks, due to which the U.S government announced a reward of $10 million for providing the information of the hackers behind this Russian threat actor group. 
 
There are several examples of domains being used as masquerade such as the domain “datagroup[.]ddns[.]net”, tracked by CERT-UA, in June. It impersonated the data group as its online portal. Another example of deception is Kyivstar, in which the domain “kyiv-star[.]ddns[.net” was used by Sandworm against Ukrainian telecom services.
Read more »
User Privacy
Canada Data Breach Encryption Hive Ransomware Phishing Attacks Telecom User Privacy

Bell Canada Hit by Hive ransomware

Bell Canada, a telecommunications firm, alerted consumers of a cybersecurity incident in which hackers gained access to business data. With more than 4,500 people, BTS is an autonomous subsidiary that specializes in installing Bell services for household and small-business customers in the provinces of Ontario and Québec.

Bell Technical Solutions, an independent subsidiary that specializes in the setup of Bell services for housing and small business customers in Ontario and Québec, had been the target of the recent cybersecurity incident, the company identified, according to a notice published on bell.ca. that "Some operational company and employee information was accessed in the recent cybersecurity incident,"

Although the Canadian telecoms operator declined to say when its network was compromised or the attack transpired, Hive claims in a fresh post to its data leak blog that BTS' systems were encrypted on August 20, 2022, almost exactly one month earlier.

To assist in the recovery process, outside cybersecurity professionals were hired. The Royal Canadian Mounted Police's cybercrime unit has been contacted about the attack, and the corporation has informed Canada's Office of the Privacy Commissioner of the occurrence.

In the wake of the occurrence, the Bell subsidiary cautioned customers that they might become the victim of phishing attacks and took immediate action to secure the compromised systems and to reassure users that no customer data, including credit and debit card numbers, banking information, or other financial data, was accessed as a result of the incident.

"Any persons whose private data could have been accessed will be promptly informed by us. Other Bell clients or other Bell businesses were not impacted; Bell Technical Solutions runs independently from Bell on a different IT system" the company stated.

Hive is an affiliate-based ransomware version that was first noticed in June 2021 and is used by hackers to launch ransomware attacks targeting healthcare facilities, charities, retailers, energy suppliers, and other industries globally.

Recently cyberattack by the Hive ransomware gang has led to an extortion attempt worth $2 million against Damart, the French clothing firm with over 130 locations throughout the world. According to data from Recorded Future, Hive is still one of the most active ransomware gangs, responsible for more than 150 attacks last month.









Read more »
Telecom
Credential Phishing Dark Web Data Breach Finance Healthcare Malicious actor Ransomware Attacks. Stock market Telecom

Dark Web: 31,000 FTSE 100 Logins

 

With unveiling the detection of tens of thousands of business credentials on the dark web, security experts warn the UK's largest companies that they could unintentionally be exposed to significant vulnerability. Outpost24 trawled cybercrime sites for the compromised credentials, discovering 31,135 usernames and passwords related to FTSE 100 companies using its threat monitoring platform Blueliv.

The Financial Times Stock Exchange (FTSE) 100 Index comprises the top 100 companies on the London Stock Exchange in terms of market capitalization. Across several industry verticals, these businesses reflect some of the most powerful and lucrative businesses on the market. 

The following are among the key findings from the study on stolen and leaked credentials: 

  • Around three-quarters (75%) of these credentials were obtained by traditional data breaches, while a quarter was gained through personally targeted malware infections. 
  • The vast majority of FTSE 100 firms (81%) had at least one credential hacked and published on the dark web, and nearly half of FTSE 100 businesses (42%) have more than 500 hacked credentials. 
  • Since last year, there were 31,135 hacked and leaked credentials for FTSE 100 organizations, with 38 of them being exposed on the dark web. 
  • Up to 20% of credentials are lost due to malware infections and identity thieves.
  • 11% disclosed in the last three months (21 in the last six months, and 68% for more than a year) Over 60% of stolen credentials come from three industries: IT/Telecom (23%), Energy & Utility (22%), and Finance (21%). 
  • With the largest total number (7,303) and average stolen credentials per company (730), the IT/Telecoms industry is the most in danger. They are the most afflicted by malware infection and have the most stolen credentials disclosed in the last three months.
  • Healthcare has the biggest amount of stolen credentials per organization (485) due to data breaches, as they have become increasingly targeted by cybercriminals since the pandemic started. 

"Malicious actors could use such logins to get covert network access as part of "big-game hunting" ransomware assault. Once an unauthorized third party or initial access broker obtains user logins and passwords, they can either sell the credentials on the dark web to an aspiring hacker or use them to compromise an organization's network by bypassing security protocols and progressing laterally to steal critical data and cause disruption," Victor Acin, labs manager at Outpost24 company Blueliv, explained.
Read more »
Telecom
Asia Cyber Attacks Hackers Iranian Middle East Telecom

Telecom Industries Targeted by Hackers in Middle East and Asia

 

According to analysts, criminals attacking telcos in the Middle East and Asia over the last six months have been connected to Iranian state-sponsored cybercriminals. Cyberespionage tactics use a potent combination of spear phishing, recognized malware, and genuine network tools to steal sensitive information and potentially disrupt supply chains. 

Analysts detailed their results in a study released on Tuesday, claiming that attacks are targeting a variety of IT services firms as well as utility companies. As per a report issued by Symantec Threat Hunter Team, a subsidiary of Broadcom, malicious actors seem to obtain access to networks via spear-phishing and then steal passwords to migrate laterally. 

“Organizations in Israel, Jordan, Kuwait, Saudi Arabia, the United Arab Emirates, Pakistan, Thailand, and Laos were targeted in the campaign, which appears to have made no use of custom malware and instead relied on a mixture of legitimate tools, publicly available malware, and living-off-the-land tactics,” researchers wrote in the report. 

However the hackers' identities are unknown, analysts believe they may be associated with the Iranian organization Seedworm, also known as MuddyWater or TEMP.Zagros. In the past, this organization has conducted significant phishing efforts targeting enterprises in Asia and the Middle East to steal passwords and gain resilience in the target's networks. 

Researchers discovered two IP addresses used throughout the operation that had already been related to Seedworm activity, as well as some tool overlap, particularly SharpChisel and Password Dumper, they claimed. Whilst there has already been threat activity from Iran against telcos in the Middle East and Asia—for instance, the Iranian Chafer APT targeted a major Middle East telco in 2018—a Symantec spokesperson termed the action detailed in the report "a step up" in its focus as well as a prospective harbinger of larger attacks to come. 

According to the analysts, a conventional attack in the latest campaign started with attackers penetrating a specified network and then trying to steal passwords to move laterally so that web shells could be launched onto Exchange Servers. 

Researchers dissected a particular attack launched in August on a Middle Eastern telecom provider. According to the experts, the first sign of penetration, in that case, was the development of a service to execute an unidentified Windows Script File (WSF). 

Scripts were then utilized by attackers to execute different domain, user discovery, and remote service discovery commands, and PowerShell was ultimately utilized to download and execute files and scripts. According to analysts, attackers also used a remote access tool that purported to query Exchange Servers of other firms. 

According to the researchers, attackers were interested in leveraging some hacked firms as stepping stones or just to target organizations other than the first one to build a supply-chain attack. 

“A suspected ScreenConnect setup MSI appeared to have been delivered in a zipped file named ‘Special discount program.zip,’ suggesting that it arrived in a spear-phishing email,” they wrote.
Read more »
User Security
Data Breach Data Leak Investigation Telecom User Data User Privacy User Security

Massachusetts is Investigating the Massive T-Mobile Data Breach

 

On Tuesday, Massachusetts Attorney General Maura Healey announced that she will look into the cyberattack on T-Mobile US Inc (TMUS.O), which compromised the personally identifiable information of over 53 million people.

After the third-largest U.S. cellphone carrier reported the hack on Aug. 16, Attorney General Maura Healey announced the investigation. 

The breach exposed names, birthdays, social security numbers, driver's licence information, PIN numbers, and other personal information of an estimated 13.1 million current and 40 million past, and potential T-Mobile users.

It was one of many cyberattacks in recent years that impacted banks, gas pipelines, and hospitals, among other businesses. 

Healey aims to examine whether the Bellevue, Washington-based corporation has sufficient measures in place to secure consumer information and mobile devices. Last month, the Federal Communications Commission in the United States launched an investigation into the matter. 

According to court records, consumers and other private plaintiffs have filed at least 23 lawsuits against T-Mobile as a result of the data leak. 

About the security breach

On August 16, T-Mobile US Inc (TMUS.O) admitted a data breach but said it has yet to determine if any customer information had been compromised, a day after an online forum claimed that the personal data of over 100 million of its users had been compromised. 

In a blog post, the telecom provider stated that it was certain that the entry point used to obtain the data had been shut down. It did not disclose the number of accounts impacted. 

"We are conducting an extensive analysis alongside digital forensic experts to understand the validity of these claims, and we are coordinating with law enforcement," the company stated. 

According to a report in Vice's Motherboard, the forum post does not specify T-Mobile but the attacker informed Vice that they acquired data on over 100 million individuals from T-Mobile servers. 

Following the news, T-stock Mobile's share dropped 2.8 percent in afternoon trade.
Read more »
Telecom
Cyber Security Dos Attacks Internet Service Providers RCE Telecom

Juniper Bug Allows RCE and DoS Against Carrier Networks

 

Juniper Networks' Steel-Belted Radius (SBR) Carrier Edition has a severe remote code-execution vulnerability that leaves wireless carrier and fixed operator networks vulnerable to tampering. By centralizing user authentication, giving the proper level of access, and verifying compliance with security standards, telecom carriers utilize the SBR Carrier server to manage policies for how subscribers use their networks. It enables carriers to distinguish service tiers, diversify revenue models, and manage network resources. 

Juniper Networks, Inc. is a multinational technology company based in Sunnyvale, California. Routers, switches, network management software, network security solutions, and software-defined networking technology are among the networking products developed and sold by the company. Pradeep Sindhu started the company in 1996, with Scott Kriens serving as the original CEO until September 2008. Juniper Networks began by specializing in core routers, which are used by internet service providers (ISPs) to execute IP address lookups and route internet traffic. 

SBR Carrier versions 8.4.1, 8.5.0, and 8.6.0 that use the extensible authentication protocol are affected by the bug (CVE-2021-0276). It was on Wednesday, Juniper released a patch. On the CVSS vulnerability-severity rating scale, it gets a 9.8 out of 10. According to Juniper's advisory, it's a stack-based buffer-overflow vulnerability that an attacker can exploit by sending specially designed packets to the platform, causing the RADIUS daemon to crash. This can cause RCE as well as denial-of-service (DoS), which prevents phone subscribers from having a network connection. 

The flaw is one of the dozens that the networking giant patched this week across its carrier and corporate product lines, including multiple high-severity flaws that could be used to launch DoS assaults. Juniper claims that one of these can also be used for RCE. CVE-2021-0277 is an out-of-bounds read vulnerability that affects Junos OS (versions 12.3, 15.1, 17.3, 17.4, 18.1, 18.2, 18.3, 18.4, 19.1, 19.2, 19.3, 19.4, 20.1, 20.2, 20.3 and 20.4), as well as Junos OS Evolved (all versions). 

The problem occurs when the Layer 2 Control Protocol Daemon (l2cpd) processes specially designed LLDP frames (l2cpd). On a local area network (usually over wired Ethernet), network devices utilize LLDP to advertise their identification, capabilities, and neighbors. “Continued receipt and processing of these frames, sent from the local broadcast domain, will repeatedly crash the l2cpd process and sustain the DoS condition,” Juniper said in its advisory, issued on Thursday.
Read more »
User Security
China Data Breach Nepal Telecom User Data User Privacy User Security

Chinese Hackers Stole Call Details of Nepal Telecom

 

China launched a destructive "cyber attack" on Nepal Telecom which resulted in Chinese hackers stealing the phone numbers of all Nepali users. 

Chinese hackers gained access to all Nepali call information by compromising the telecom company's Oracle Glass Fish Server. 

The hackers used 41 Tactics of Advanced Persistent Threat (APT) and 71 Tactics of Advanced Persistent Threat (APT) and backdoor weaponry, according to technical specialists. APT 41 and APT 71 have been spotted stealing CDR data from telecom systems. It was also discovered that the stolen data from the telecom server was being sold on the dark web. The telco's CDR call data record was put for selling on June 29. 

Several local news sources reported that Nepal Telecom has shut down its server to handle the growing threat. NTC spokesman Rajesh Joshi stated, "We have not deciphered the identity of the hackers. We switched off the server to save our data after we received information of a possible interference into our server." 

Chinese hackers reportedly obtained access to NTC's Oracle GlassFish Server and obtained Call Data Records (CDR). According to NepaliTelecom.com, the telecom assures that its call data is secure. NTC Managing Director Dilli Ram Adhikari reported that the company's main server is secure. 

In response to media outlets, he stated: "Hackers might have breached into a dated server of CDMA. The company's team of expert technicians are looking into the matter to trace the culprits. Our main server is protected by a highly secure firewall and remains safe." 

According to NepaliTelecom.com, China has frequently well-guarded the firm on a governmental level, encouraging them to initiate attacks on international companies over time. This led to the supposition that the Chinese were behind the attack on NTC. 

The famed hacker, Tag-22has hacked and even sold telecom-related data from nations like Taiwan and the Philippines. 

According to the report, China has earned the wrath of other nations on several occasions for allegedly promoting state-level breaches, which it has emphatically denied. There is no confirmation that the Chinese group was behind the group at this time, but the leads point in that direction. 

By hacking into telecom, a vast segment of consumer data becomes exposed to malicious use. In order to secure user data in the future, NTC will have to be more cautious in the coming days.
Read more »
Telecom
Telecom

Reliance to disrupt CDMA Services ahead of 4G Launch

In 2002, the Ambani brothers-Mukesh and Anil, had stepped on a rather challenging and less popular Code Division Multiple Access  (CDMA) technology in their telecom business, wherein the world was getting adapted to the Global System for Mobile Communication (GSM) technology. 

But, 14 years after backing the CDMA technology, Reliance Industries Ltd chairman Mukesh Ambani's telecom services bet on the fourth-generation long-term evolution (LTE) technology is ironically set to relegate the CDMA radio technology. 

The CDMA never had the hold on the telecom market unlike GSM. As on 31 December, 2015, CDMA had less than 5% share of the total wireless subscriber base in India, according to the Telecom Regulatory Authority of India (TRAI). CDMA subscribers accounted for just about 47 million of the total 1.1 billion wireless users as on 31 December. The rest are GSM subscribers.

Now, the Reliance Communications' success in lobbying the government to allow telecom companies operating on the CDMA platform to also use the GSM technology has pushed the technology to the back foot.

Reliance Jio has spent 1.2 trillion in financial year 2015-16 for the 4G launch.

"As we approach the launch of fourth-generation (4G) services by Reliance Jio Infocomm Ltd (R-Jio), we believe it could likely mark the end of CDMA services," Sanjesh Jain, research analyst, wrote in an ICICI Securities Ltd.

"It is critical for R-Jio as completion of 850MHz (megahertz) spectrum refarming by R-Com infers that R-Jio could use the spectrum (through sharing/trading route) for its 4G-850MHz pan-India launch. R-Com has already vacated 850MHz in nine circles. Due to strong data card business, 55% of CDMA revenue comes from post-paid, which could be a low hanging target for R-Jio," added the ICICI Securities report.

Meanwhile, sources say that Reliance Communications is expected to complete the migration of CDMA to 4G LTE service by mid-August, as most of its customers have already opted for the offered upgrade to 4G LTE services.












Read more »
Subscribe to: Posts (Atom)