The Cybersecurity Express – July 12, 2024

The airship-like train, sleek and gleaming, casting long shadows in the setting sun, slows down to meet the platform, as like a scene torn out from a novel by Jules Verne. You, a traveler in this strange land of bytes and breaches, felt a tingling excitement as the crowd murmured in anticipation. The train, a marvel of modernity and mystery, promised to whisk you away into the depths of the digital frontier.

With a hiss, the doors parted, revealing a carriage filled with the glow of screens and the hum of encrypted whispers. You step aboard, heart pounding, ready to traverse through the labyrinthine paths of cyber threats and defenses. The conductor, an enigmatic figure with a knowing smile, signals that the journey is about to commence. Each stop on this voyage promises revelations and insights, guiding you through the intricate web of cybersecurity. Welcome aboard The Cybersecurity Express, where every destination is a portal to knowledge and protection in the digital age.

AT&T Data Breach Exposes Millions of Customer Records

In a significant cybersecurity incident, AT&T has confirmed a massive data breach that has exposed sensitive information of “almost all of its cellular customers”, to quote the spokesperson exactly. Discovered on April 19, 2024, the breach involved unauthorized access to an AT&T workspace on a third-party cloud platform. Between April 14 and April 25, 2024, threat actors exfiltrated files containing customer call and text records from May 1^st to October 31^st, 2022, and from January 2^nd, 2023.

The compromised data includes call logs, text logs (not the content of the texts), telephone numbers, counts of interactions, and aggregate call durations. While the content of calls or texts and personally identifiable information (such as Social Security numbers and dates of birth) were not included, the data provides sufficient detail to potentially identify individuals through publicly available tools. This information affects nearly all of AT&T’s wireless customers and customers of mobile virtual network operators (MVNOs) using AT&T’s network.

Upon discovering the breach, AT&T immediately activated its incident response process and engaged external cybersecurity experts. The company has since closed the point of unlawful access and taken additional cybersecurity measures to prevent future incidents. AT&T is also working with law enforcement to apprehend those responsible, with at least one individual already apprehended.

AT&T has notified affected customers and is offering free credit monitoring services to help mitigate potential risks such as identity theft and financial fraud. Additionally, AT&T is enhancing its security protocols, including implementing stricter access controls, increasing monitoring of third-party vendors, and conducting comprehensive security audits.

Customers are urged to monitor their accounts for suspicious activity, change passwords, enable two-factor authentication, and regularly check credit reports to detect any unauthorized transactions or new accounts. The company also advises customers to take advantage of the credit monitoring services being offered.

This breach has significant implications not only for AT&T but for the telecommunications industry as a whole. It highlights the critical need for robust cybersecurity measures and the potential risks associated with third-party vendors. The incident serves as a stark reminder that organizations must continuously assess and strengthen their security practices to protect sensitive customer information.

Cybersecurity experts stress the importance of a proactive approach, including regular security assessments, employee training on cybersecurity best practices, and staying informed about the latest threats and vulnerabilities. The breach also underscores the need for industry-wide collaboration to share threat intelligence and develop strategies to combat evolving cyber threats.

As AT&T continues to address the fallout from this breach, it is clear that the company and the industry must prioritize cybersecurity to prevent similar incidents in the future. Strengthening supply chain security, enhancing data protection measures, and fostering a culture of cybersecurity awareness are essential steps in safeguarding sensitive information.

New “Blast Radius” Attack Bypasses Widely-Used RADIUS Authentication

In a significant cybersecurity revelation, a new attack method called “Blast Radius” has been discovered, compromising the widely-used RADIUS/UDP (Remote Authentication Dial-In User Service) authentication protocol. This exploit targets the core authentication mechanism of RADIUS, a protocol crucial for many corporate and government networks.

The “Blast Radius” attack capitalizes on a fundamental weakness in the RADIUS protocol. It manipulates the shared secret used for authentication between the client and the server, the now CVE-2024-3596. The attack starts by intercepting RADIUS Access-Request packets using a man-in-the-middle approach. Attackers then employ cryptographic techniques to produce a MD5 hash collision needed to obtain a valid “Access-Accept” response, granting themselves admin privileges on RADIUS devices without requiring brute force or stealing credentials.

To make matters worse, the attack is highly feasible with readily available tools and moderate computing power. This accessibility means that even relatively inexperienced attackers could potentially exploit this vulnerability. The researchers who discovered this flaw demonstrated its effectiveness in various real-world scenarios, highlighting its serious implications for network security, but decided to keep the technique a secret.

The impact of the “Blast Radius” attack is extensive. Any network using RADIUS for authentication is potentially vulnerable. This includes a wide range of devices and services, from Wi-Fi networks to VPNs and enterprise-level access controls. The ability to bypass RADIUS authentication not only compromises data security but also undermines the trust in network integrity.

To counter this threat, network administrators should implement several key measures:

• Strengthen Shared Secrets: Use complex, high-entropy passwords for RADIUS shared secrets to make brute-force attacks more difficult.
• Encrypt RADIUS Traffic: Utilize IPSec or other encryption methods to protect RADIUS traffic, ensuring that intercepted packets cannot be easily exploited.
• Implement Multi-Factor Authentication (MFA): Adding an additional authentication layer can mitigate the risk even if the RADIUS protocol is compromised.
• Regular Audits and Updates: Conduct regular security audits and ensure that all components of the authentication infrastructure are updated with the latest security patches.
• Monitor and Detect: Deploy advanced intrusion detection systems (IDS) to monitor for unusual activity that might indicate an ongoing attack.

The discovery of the “Blast Radius” attack underscores the need for continuous vigilance in cybersecurity practices. As attackers develop more sophisticated methods, it is crucial for security professionals to stay ahead by understanding potential vulnerabilities and implementing robust defense mechanisms.

Google Enhances Security with Passkey Integration for Advanced Protection Program

Google has introduced a significant security enhancement by integrating passkeys into its Advanced Protection Program (APP). This move aims to provide heightened security for high-risk user accounts, such as those belonging to journalists, activists, and political figures, who are often targeted by sophisticated cyber attacks.

Passkeys represent a shift from traditional password-based security methods. They use cryptographic keys that are stored on users’ devices, making account compromising and credential theft significantly more difficult. When a user logs into their account, the passkey on their device communicates directly with Google’s servers to authenticate the user, ensuring a higher level of security without the need for passwords.

Google’s Advanced Protection Program, which already offers robust security features like physical security keys and stringent account recovery processes, MFA and others, now includes passkeys as an additional layer of defense. This integration provides several benefits:

1.        Enhanced Security: Passkeys eliminate the risks associated with password reuse, credential phishing, and brute-force attacks. As passkeys are stored on a user’s device and are never shared with the service provider, they are immune to interception during transmission.

2.        User Convenience: By leveraging biometric sensors or device PINs, passkeys simplify the login process. Users no longer need to remember complex passwords, reducing the likelihood of security breaches due to weak or reused passwords.

3.        Broad Compatibility: Passkeys work across various platforms and devices, ensuring a seamless and secure user experience. Google’s adoption of passkeys in the APP sets a precedent for other organizations to follow, promoting a more secure digital ecosystem.

The passkey system operates on public-key cryptography. When a user registers their device, a key pair is generated: a public key, which is sent to Google, and a private key, which remains on the user’s device. During authentication, the device signs a challenge with the private key, and Google verifies this signature using the stored public key. This method ensures that only the legitimate device can authenticate, mitigating risks associated with traditional authentication methods.

Looking ahead, Google plans to extend passkey support to more services and applications, promoting wider adoption of this secure authentication method. As cyber threats continue to evolve, integrating advanced security measures like passkeys is crucial for protecting sensitive user information.

Hacker Claiming to Have Fortinet VPN Access to 50+ Organizations

A hacker has recently claimed to have unauthorized access to Fortinet VPN in the US, raising significant security concerns. The claim involves exploiting a vulnerability in Fortinet’s VPN services, potentially compromising numerous systems that rely on Fortinet’s technology for secure remote access. The hacker alleges that the exploit allows them to gain unauthorized entry to sensitive networks, posing a severe threat to data security.

The hacker has allegedly accessed multiple VPN accounts in the US, potentially leading to widespread data breaches, and is selling said access on the dark web at 7.500$ per Organization. This breach emphasizes the importance of timely security updates and patches. Fortinet had previously identified and patched a critical vulnerability in its VPN service, urging users to update their systems immediately. However, the hacker’s claims suggest that many systems may still are unpatched and vulnerable. What organizations is he claiming to have access to, he did not say. Perhaps he discloses that after the money is on the table.  

Fortinet has been a leading provider of VPN solutions, widely used across various industries for secure remote access. This incident underscores the critical need for organizations to maintain rigorous cybersecurity practices, including regular updates and monitoring for potential threats.

To mitigate the risks associated with this alleged breach, users are advised to immediately apply the latest security patches provided by Fortinet. Additionally, organizations should conduct thorough security audits to identify and address any vulnerabilities in their systems. Enhanced monitoring and intrusion detection systems can also help detect and respond to suspicious activities promptly.

This incident serves as a stark reminder of the ongoing cyber threats facing organizations today. Ensuring robust security measures and staying informed about potential vulnerabilities is essential to safeguarding sensitive information against unauthorized access and breaches.

Staying informed and proactive is essential. Implementing strong security practices, regularly updating systems, and remaining vigilant can significantly mitigate risks. We appreciate your time and dedication to understanding these crucial issues. Join us again on The Cybersecurity Express for more insights and updates. Your commitment to cybersecurity is vital in safeguarding our digital world. Stay safe and see you on the next journey.