Cybersecurity news headlines for August 2021

In August’s edition of cybersecurity news, we cover a cyberattack on T-Mobile, Apple’s new child sex abuse imagery screening feature, and the Bangkok Airways ransomware attack.

The cyberattack on T-Mobile resulted in stolen personal information of 50 million past and current customers. Among the information are social security numbers. Apple announced a new feature that will check iPhones for known child sex abuse images, causing much controversy as consumers fear it may be used for other purposes by governments. And lastly, a ransomware attack on Thailand’s airline Bangkok Airways resulted in 200+ GB of information, including some passenger’s credit card data, being leaked online.

 

 

Without further ado, here’s what made the biggest cybersecurity headlines in August 2021.

Data of 50 million T-Mobile customers stolen during a cyberattack

One of the biggest US telecommunications companies T-Mobile has suffered a cybersecurity incident that exposed sensitive information of more than 50 million customers, both past and current. Names, home addresses, phone numbers, social security numbers, driver’s license and ID information of around 48 million people were stolen during the cyberattack that was revealed on August 16. Financial information such as credit card details is not believed to be among the stolen data. According to T-Mobile, 7.8 million current and over 40 million past or prospective customers were impacted by this breach.

Reportedly, T-Mobile was informed of the hack by a cybersecurity company called Unit221B LLC after it noticed that its customer data was being sold on the dark web. T-Mobile started verifying the claims and released a confirmation statement soon after. Initially, it was unclear what information was stolen exactly, but T-Mobile later confirmed that full names, addresses, phone numbers, and social security numbers were among the breached data.

According to VICE, the data containing 30 million social security numbers is being sold on an underground forum for 6 Bitcoins ($240,000 at this moment). The rest of the data is allegedly sold privately.

The perpetrator came forward and identified himself as John Binns. According to reports, he was born in the US but now lives in Izmir, Turkey, and carried out the cyberattack in retaliation to his kidnapping and torture by CIA and Turkish intelligence agents in 2019. The 21-year old claims that he has been targeted by US law enforcement for his alleged involvement in the Satori botnet. According to him, he was abducted and tortured in Germany and Turkey by US agencies. He has filed a lawsuit against the FBI, CIA, and the Justice Department, in which he claims that he is being investigated for cybercrimes and for allegedly being involved with the Islamic State militant group. He has denied these claims.

Binns told Wall Street Journal that he used an unprotected router to gain access to T-Mobile’s network. He provided evidence to WSJ via Telegram, proving that he is indeed behind the attack. Binns claims to have been looking for vulnerabilities in T-Mobile’s defenses through its internet addresses and was able to gain access to a data center near East Wenatchee, Washington, where more than 100 company servers were available to him to explore. In around a week, he gained access to the servers containing the personal information of tens of millions of people.

“What we can share is that, in simplest terms, the bad actor leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods to make their way into other IT servers that included customer data,” T-Mobile CEO Mike Sievert said in a statement.

According to Sievert, the breach has since been contained and the investigation is complete for the most part. Current customers affected by the breach have already been notified, while past and prospective customers should soon be informed as well. Law enforcement agencies were contacted as soon as T-Mobile became aware of the attack. The telecommunications company has also entered into a long-term partnership with cybersecurity experts at Mandiant, who also helped with the incident investigation from the very beginning.

T-Mobile is offering two years of free identity protection services with McAfee’s ID Theft Protection Service to all affected customers. The telecommunications company also recommends signing up for free scam-blocking protection through Scam Shield.

Apple to start scanning iPhones for child sex abuse images

Tech company Apple has announced that beginning with iOS 15, iPhones will be scanned for known Child Sexual Abuse Material (CSAM). The announcement has drawn a significant amount of criticism for Apple as users fear Apple has essentially opened a backdoor for governments and relevant parties to use Apple to scan iPhones for content that has nothing to do with child abuse and everything to do with politics.

According to Apple, the new system will use a database of known CSMA image hashes to match photos on Apple devices before they’re uploaded onto the iCloud. Unless the images on a device match a known CSAM image hash, Apple will not be able to view the images. If there is a match, the image in question would be reviewed by a human to confirm and a report to the NCMEC would be sent. The CSAM database is provided by the National Center for Missing & Exploited Children (NCMEC). Only images the user has chosen to upload onto iCloud will be scanned, and the feature will not work on devices that have iCloud Photos disabled.

Much confusion followed Apple’s announcement, with many users fearing that images of their children would potentially be flagged as child sex abuse images by accident. However, iPhones will be scanned only for images in the CSAM database. Other users fear that Apple will be able to view all images stored in the iPhone but the tech giant has reassured that no employee will see any images unless they are flagged as a child sex abuse image.

“CSAM detection for iCloud Photos is designed to find matches to known CSAM images. The system uses image hashes that are based on images acquired and validated to be CSAM by at least two child safety organizations. It is not designed for images that contain child nudity that are not known CSAM images,” Apple explained in a frequently asked questions PDF.

Apple has also addressed worries that their CSAM detection system may be used to detect things other than CSAM. The tech giant claims that if such demands were made, they would be refused. Furthermore, Apple explained that the CSAM detection system is built to detect CSAM images only.

“Apple’s CSAM detection capability is built solely to detect known CSAM images stored in iCloud Photos that have been identified by experts at NCMEC and other child safety groups. The set of image hashes used for matching are from known, existing images of CSAM and only contains entries that were independently submitted by two or more child safety organizations operating in separate sovereign jurisdictions. Apple does not add to the set of known CSAM image hashes, and the system is designed to be auditable. The same set of hashes is stored in the operating system of every iPhone and iPad user, so targeted attacks against only specific individuals are not possible under this design,” Apple explains.

The company admitted that it has received demands to build and deploy government-mandated changes that degrade users’ privacy in the past but have refused those demands and will continue to refuse them in the future.

Lastly, Apple addressed fears that innocent people may be falsely reported to law enforcement. As Apple explains, whenever CSAM images are flagged in a device, a human review is conducted. Only after a human confirms that the images are, in fact, child sex abuse will a report to the National Center for Missing & Exploited Children be made.

“The system is designed to be very accurate, and the likelihood that the system would incorrectly identify any given account is less than one in one trillion per year”.

Airline Bangkok Airways confirms ransomware attack

During a press release, Thailand’s third-biggest airline Bangkok Airways disclosed that the company was a victim of a ransomware attack during which hackers stole passenger’s personal information. According to the airline, the cyberattack was noticed on August 23, 2021, and after an initial investigation, it was confirmed that the personal information of passengers has been accessed, including full names, nationalities, gender, phone numbers, emails, home addresses, contact information, passport information, travel information, partial credit card information, and special meal information.

The ransomware responsible for the attack on Bangkok Airways has been identified as LockBit. The malicious actors behind this ransomware posted on a dark web forum that they will leak the data they have stolen if the airline does not agree to pay the ransom. When it became clear that Bangkok Airways had no intention of paying the ransom, the LockBit gang leaked the 200+ GB of data they stole.

The ransomware attack is still under investigation in order to understand the scope of the incident fully. However, the airline recommends that all passengers contact their banks and credit card providers and follow their directions. Furthermore, passengers should change their account passwords. Airline customers should also be extra careful about unsolicited calls that ask for personal information.

References

• Drew FitzGerald and Robert McMillan. T-Mobile Hacker Who Stole Data on 50 Million Customers: ‘Their Security Is Awful’. The Wall Street Journal.
• Joseph Cox. T-Mobile Investigating Claims of Massive Customer Data Breach. VICE.
• T‑Mobile Shares Updated Information Regarding Ongoing Investigation into Cyberattack.
• The Cyberattack Against T‑Mobile and Our Customers: What happened, and what we are doing about it.
• Expanded Protection for Children. Apple.
• Bangkok Airways clarifies the incident of a cybersecurity attack. Bangkok Airways Press Release.