Corvus Threat Intel
T-Mobile and Nissan Breached, New Git Vulnerabilities, & SSO Smishing
T-Mobile and Nissan disclose breaches, critical security flaws discovered by GitLab, and Single Sign On smishing strikes.
T-Mobile and Nissan Discloses Breaches
T-Mobile and Nissan North America reported data breaches this week. The Nissan incident began in June 2022 when the data from a third-party software vendor was inadvertently exposed through a misconfigured database. This led to data from thousands of customers being exposed. Nissan had a separate incident in 2021 when a Git server was left exposed with default credentials, which likewise resulted in confidential data like source code being exposed.
T-Mobile was breached through an application programming interface (API). API’s are commonly used for software to communicate and exchange data and are a prime target for threat actors. The attacker used an API to steal customer data for about 37 million accounts. The telecommunications provider has not disclosed how the attacker was able to gain access to the API.
Why This Matters
Rather than naming and shaming, high-profile cyber incidents can be painfully instructive. We don’t all need to make the same mistakes to learn. Particularly with recent developments in data extortion and data theft, it’s important to enumerate where data is being stored and shared, who has access, and how the storage is configured.
- T-Mobile Informing Impacted Customers about Unauthorized Activity (T-Mobile)
- T-Mobile hacked to steal data of 37 million accounts in API data breach (BleepingComputer)
- Nissan North America data breach caused by vendor-exposed database (BleepingComputer)
Critical Vulnerabilities Uncovered in Git
On January 17, 2023, security researchers in collaboration with GitLab announced the discovery of critical security flaws. Git is an open-source tool often used by software developers and engineers for version control as they collaborate on code changes. The flaws (CVE-2022-23521 & CVE-2022-41903) may allow a remote, unauthenticated attacker to perform arbitrary code execution on systems running vulnerable versions of Git. Fortunately, there is no known exploitation in the wild; however, this is not something to ignore until it’s too late. Security patches are available and should be applied as soon as possible. Corvus notified all impacted policyholders and provided remediation guidance to mitigate the risk.
Why This Matters
Since Git is so widely used, these are vulnerabilities to watch. There hasn’t been any reported exploitation but that doesn’t mean there isn’t urgency. Threat actors are typically only weeks or days away from developing workable exploits so it’s crucial to maintain a regular patching cadence for vulnerabilities such as these.
Single Sign On (SSO) Smishing
Single Sign On (SSO) solutions aim to simplify life for organizations. But they can also be a goldmine for scammers. SSO allows a user to authenticate across multiple services using a single login. This means that if an attacker can trick you into giving up your login, they get access to many different resources. Recently, scammers have gone a step further by sending fake SSO notifications in a type of attack called “Smishing.” This is where attackers send phish not to your inbox, but to your cell phone via text message. This is the attack vector used in high-profile breaches such as Twilio. Here’s how it works:
- An attacker sends a text message designed to look like an SSO provider
- The text message claims there is an important update to your organization’s policy
- A link in the text takes you to a fake login page
Why This Matters
SSO is a great thing if it’s configured properly. Phishing or smishing attempts for SSO login credentials can be halted with the right protections in place. Of course, awareness and user training is always a good idea. But past that, your organization should use modern, phishing-resistant multifactor authentication (MFA) on your SSO accounts.
This blog post and its contents are intended for general guidance and informational purposes only. This blog post is under no circumstances intended to be used or considered as specific insurance or information security advice.