Celsius Clients’ Cryptocurrencies at Risk, Microsoft’s Accidental Leak, and Other Cybersecurity Events

We’ve collected the most important news from the world of cybersecurity this week.

Microsoft accidentally gave a link to 38 TB of employee data

Microsoft’s AI division, when publishing a set of training data on GitHub, accidentally gave full access to the company’s internal confidential information storage. Wiz researchers noticed this.

The link to Azure Storage published by the developers turned out to be configured using a token SAS to share the entire account. Thus, 38 TB of information was disclosed, including personal backup copies of the computers of two Microsoft employees.

The latter contained sensitive personal data, including passwords to company services, secret keys and more than 30,000 internal Microsoft Teams messages from 359 employees.

The incident occurred at the end of June. Two days after Wiz’s notification, Microsoft’s response team revoked the SAS token, and a month later replaced it with GitHub.

The company stressed that no customer data was exposed and no other internal services were at risk due to this issue.

Crypto wallets of Celsius lenders were hacked through phishing

In anticipation of the approval of the refund plan, clients of the bankrupt crypto-lending platform Celsius began receiving phishing emails. This is reported by Bleeping Computer.

The scammers are posing as the claims agent in the case, Stretto. In the letter, they offer creditors a seven-day period supposedly to return the frozen funds.

The link provided in the message leads to a phishing site where the user is asked to connect his cryptocurrency wallet. With this connection, attackers gain full access to all assets on the balance sheet.

Since among the mailing recipients there are users who are not Celsius clients, journalists suggested that the hackers are using email addresses from old leaks of various cryptocurrency services. The scope of the phishing campaign is unclear at this time.

A bug in the T-Mobile app exposed customer payment information

T-Mobile customers were able to see third-party user data in the operator’s official mobile application. Numerous complaints appeared on Reddit and X.

@TMobile Wow didn’t screenshot acct 1 of 3 that I’ve seen on MY APP. But here’s 2 and 3. Huge #breach pic.twitter.com/vuBr6GcTba

—Ka (@Ka83801602) September 20, 2023

The information available included customers’ names, phone numbers, addresses, account balances, and bank card information, including expiration date and last four digits.

According to T-Mobile representatives, the company’s systems were not hacked – the failure occurred during an application update. They added that the incident had a “limited impact” and affected fewer than 100 people.

However, outside experts warned that the leak could lead to SIM swapping attacks.

⚠️ 警惕T-Mobile 数据泄露带来的sim swap劫持风险
T-Mobile 数据发生泄露，如果您是 T-Mobile 的客户，请对利用个人信息针对您的诈骗、攻击保持高度T-Mobile sim swap风险！@Foresight_News @wublockchain12 pic.twitter.com/2GdHMtTjDa

— 23pds (@IM_23pds) September 21, 2023

Darknet marketplace PIILOPUOTI liquidated

Finnish customs, together with Europol, stopped the operation of the darknet marketplace PIILOPUOTI and seized its domain.

According to the department, the site has facilitated drug smuggling and sales in the country since May 2022.

At the moment, the investigation into the case continues, Finnish authorities are establishing the identities of the sellers and users of the site.

Experts have documented the exploitation of “atypical” AWS services for hidden mining

A group of Sysdig researchers has discovered a new cloud cryptojacking campaign, AMBERSQUID. It uses unusual Amazon Web Services (AWS), including AWS Amplify, AWS Fargate, and Amazon SageMaker.

New cloud threat alert! 🚨 Introducing AMBERSQUID 🦑, the stealthy #CloudNative cryptojacking operation costing victims $10,000/day. The #cyberattack dodged static scans & targeted multiple #AWS services, making detection a challenge. Dive into the details:https://t.co/cPKhMwJEOx

— Sysdig (@sysdig) September 18, 2023

Retargeting these services frees hackers from having to request additional resources from AWS, as would happen in a more typical attack on Amazon EC2.

Additionally, targeting multiple services requires identifying and destroying miners in each of them.

Researchers have linked the campaign to Indonesian attackers. An analysis of wallets showed that hidden cloud mining has brought them about $18,300 to date.

A large casino chain from Las Vegas paid extortionists $15 million after being hacked

The attackers stole the database of the loyalty program of the large casino chain Caesars Entertainment, which, among other things, contained the driver’s licenses and social security numbers of customers. Under threat of publishing this information, the company paid the hackers $15 million.

According to filings in SEC According to documents, the attack was discovered on September 7. The investigation is still ongoing, but Caesars Entertainment said the incident did not impact the company’s operations or affect customer payment information.

According to researchers, the Scattered Spider group, which recently attacked another casino chain, MGM Resorts, could be behind the hack.

Virtual number services will begin to be blocked in the Russian Federation

The Russian government has recognized the use of virtual (DEF) numbers as a threat to national security in the field of communications and the Internet; services for issuing them will be blocked from September 1, 2024. TASS reports this with reference to the relevant resolution.

The document makes changes to the rules for centralized management of the public communications network. The list of threats in this area was supplemented with a clause on providing users with access to online resources and instant messengers without identification.

DEF numbers belong to foreign telecom operators, are rented and are in no way tied to the personal data of a particular person. Therefore, attackers can use them to create temporary accounts to post illegal information or commit fraudulent activities.

RKN proposed to block information about bypassing censorship

Roskomnadzor has developed criteria for restricting access to information about ways to bypass Internet blocking.

The new ban directly affects VPN services, the Tor browser, anonymizers, as well as any information about the benefits of bypassing censorship.

Public discussion of the draft relevant order will last until October 6. The changes will come into force on March 1, 2024.

Also on ForkLog:

What to read this weekend?

An excerpt from Gaspard Koenig’s book “The End of the Individual,” where the author examines whether AI can abolish the “new serfdom.”

Found an error in the text? Select it and press CTRL+ENTER