Cybersecurity researchers have revealed a GitHub design flaw that allows access to deleted and private repository data. Learn how the issue, dubbed Cross Fork Object Reference (CFOR), puts sensitive information at risk and what it means for open-source security.

Cybersecurity researchers at Truffle Security, an open-source security software company, have found that anyone can access deleted and private repository data on GitHub, and it’s available forever.

This issue, known as Cross Fork Object Reference (CFOR), allows users to directly access commit data from another fork, including data from private and deleted forks.

According to Truffle Security, this is not a bug, but rather an intentional design feature of GitHub’s repository architecture. This means that any code committed to a public repository may be accessible forever, even if the original repository is deleted, as long as there is at least one fork of that repository.

The researchers demonstrated three scenarios where this issue can be exploited:

Accessing Deleted Fork Data: When a user forks a public repository, commits code to it, and then deletes the fork, the committed code is still accessible forever. This is because GitHub stores repositories and forks in a repository network, and deleting a fork does not delete the committed data.

Accessing Deleted Repo Data: When a public repository is deleted, GitHub reassigns the root node role to one of the downstream forks. This means that all commits from the original repository still exist and are accessible via any fork, even if the fork never synced with the original repository.

Accessing Private Repo Data: When a private repository is open-sourced, any code committed between the time the internal fork was created and when the repository was made public is accessible on the public repository. This is because the private fork and public repository are part of the same repository network.

To access the data, an attacker only needs to know the commit hash https://github.com/<user/org>/<repo>/commit/<commit_hash>, which can be brute-forced through GitHub’s UI or obtained through the public events API endpoint. This means that confidential data and secrets may be inadvertently exposed on an organization’s public GitHub repositories.

Truffle Security has submitted their report titled “Anyone can Access Deleted and Private Repository Data on GitHub” to GitHub via their Vulnerability Disclosure Program, and GitHub has responded that their architecture is designed to work this way. While GitHub is transparent about their architecture, the average user may not understand the implications of this design, and the act of deletion does not necessarily mean that the data is deleted.

Truffle Security recommends that users take steps to securely remediate leaked keys on public GitHub repositories through key rotation. They also note that secret scanning tools will need to be updated to handle these scenarios and that users should be aware that deleted data may still be accessible.

This issue is not unique to GitHub, and other version control system products may also be affected. As the use of open-source software continues to grow, users must understand the security implications of how these systems work.

The notorious Chinese Smishing Triad gang, known for its SMS phishing attacks against Pakistan, the US, and European nations, has now set its sights on iPhone users in India. The group is exploiting iMessage and the government-owned India Post in a sophisticated phishing scam.

FortiGuard Labs has revealed a sophisticated Smishing (SMS Phishing) campaign targeting users of India Post, the country’s government-operated postal system. The scam, attributed to a China-based threat actor known as the Smishing Triad, involves sending deceptive iMessages to iPhone users, claiming that a package is waiting for them at an India Post warehouse.

The fraudulent messages often contain a short URL leading to a fake website designed to mimic the official India Post site. Victims are then prompted to provide sensitive personal information, such as their name, residential address, email ID, and phone number. In some cases, the scammers even request credit card details under the guise of a small redelivery fee.

FortiGuard Labs’ investigation revealed that between January and July 2024, over 470 domain names were registered to impersonate India Post’s official domain. Notably, 296 of these domains were registered through a Chinese registrar, Beijing Lanhai Jiye Technology Co., Ltd., raising concerns about the intentions behind the campaign.

The Smishing Triad has previously targeted other regions, including the US, UK, EU, UAE, KSA, and Pakistan. Their modus operandi involves using third-party email addresses, such as Hotmail, Gmail, or Yahoo, to create Apple IDs and send phishing messages via iMessage. This tactic allows the scammers to bypass traditional email security measures and reach users directly on their iPhones.

According to Fortinet Labs’ report shared with Hackread.com ahead of its publication on Thursday, the phishing campaign is quite sophisticated and well planned. The investment in registering the malicious domain names alone exceeds USD 1500.

Jason Soroko, Senior Vice President of Product at Sectigo, commented on the issue, stating, “The use of third-party email addresses on iMessage facilitates these attacks, highlighting a need for increased awareness and robust security measures among users to mitigate potential financial losses and data breaches.”

Stephen Kowski, Field CTO at SlashNext Email Security+, emphasized the need for comprehensive mobile web threat protection, stating, “As smishing attacks become increasingly sophisticated, organizations must prioritize educating their users on how to identify and report suspicious messages, while also implementing robust security measures that can inspect and mitigate threats in real-time, regardless of the communication channel used.”

To protect themselves from such scams, users are advised to be cautious of unexpected emails or messages, verify URLs before clicking on them, and avoid sharing personal information via email or messaging apps. Enabling multi-factor authentication and keeping software up to date can also help strengthen account security.

Ref:https://hackread.com/chinese-sms-phishing-group-iphone-users-india-post-scam/

On Friday, July 19, 2024, nearly 8.5 million Microsoft devices were affected by a faulty system update, causing a major outage of businesses and services worldwide. This equates to nearly 1% of all Microsoft systems globally and has led to significant disruptions to airlines, police departments, banks, hospitals, emergency call centers and hundreds of thousands of other private and public businesses.

What caused this outage in Microsoft systems?

The global outage of specific Microsoft-enabled systems and servers was isolated to a faulty software update released by CrowdStrike, one of the largest independent cybersecurity companies with nearly 30,000 subscribers worldwide.

With the majority of these subscribers automatically pushing new security updates as they become available, all impacted systems were put into a BSOD (Blue Screen of Death) state. This triggered an infinite boot cycle of the operating system, leaving the systems unable to boot correctly. The operating system then attempts to restart but encounters the same error, causing the process to repeat indefinitely.

On July 19, CrowdStrike’s CEO George Kurtz announced on X that the company is “actively working with customers impacted by a defect found in a single content update for Windows hosts.” He also confirmed that “This is not a security incident or cyberattack. The issue has been identified, isolated and a fix has been deployed.”

What has been the aftermath of this incident?

Even though this CrowdStrike event only affected less than 1% of all Microsoft-enabled systems, the aftermath so far has been significant.

One of the largest industries impacted by the major outages caused by this faulty update has been air travel. On Friday, more than 3,300 flights had already been canceled around the globe. In the United States, three major airlines Delta, American, and United all grounded their flights for several hours, causing a significant backlog of customer and commercial travel. Airports in Tokyo, Amsterdam, and Delhi were also impacted, creating major issues in other international locations.

Banking institutions were also significantly disrupted by system outages that impacted everything from ATMs to mobile banking applications and call centers. Even more critical has been the impact on essential emergency services such as hospitals and 911 dispatch teams.

Massachusetts General Hospital released the following statement regarding the impact of the outage on its operations: “A major worldwide software outage has affected many of our systems at Mass General Brigham, as well as many major businesses across the country. Due to the severity of this issue, all previously scheduled non-urgent surgeries, procedures, and medical visits are canceled today.”

The ongoing aftermath of this situation has demonstrated how reliant we are on an interconnected ecosystem of technology and services.

How is this issue being resolved?

As George Kurtz mentioned in his statement on X, CrowdStrike has already fixed the issue on its end and is actively working with its customers to fully resolve the problem. However, in an interview on the TODAY show on NBC, he also stated, “It could be some time for some systems that just automatically won’t recover.”

Many IT experts agree with this statement and claim it could take several days for larger organizations to get their systems back to normal operation. The problem lies in the BSOD issues that are being created. This means that while CrowdStrike has “pushed” an automatic update to users on their end since many customers will be unable to fully reboot their system, they won’t be able to receive and install the update.

CrowdStrike has published manual remediation actions for IT administrators to follow in the event they can’t see an automatic recovery from the issue. These actions involve booting an operating system into “safe mode,” making modifications to the installed drivers, and rebooting again safely.

While the company has been clear that it has a permanent fix for this issue, it will take time for IT administrators to gain manual access to remote servers and systems running Microsoft operating systems so they’re able to address these issues.

Unfortunately, the damage has already been done. The ongoing ripple effects of significant economic impacts caused by this event continue to spread, with early estimates of the total losses associated with it nearing $1 billion.

Ref: https://securityintelligence.com/news/recent-crowdstrike-outage-what-you-should-know/

Cybercrime costs trillions, rising yearly. Criminals operate globally, teaching their methods. This article explores major cyberattacks from 1962 to 2024 and how investigators use advanced technology to combat them.

Cybercrime is a multi-trillion dollar business with the global annual cost of cybercrime predicted to reach USD 9.5 trillion in 2024 and USD 10.5 trillion by 2025.

With crime masquerading as legitimate organizations in all corners of the globe, some especially bold online criminals teach others to do the same, even offering their services as pop-up ads. 

Along with the explosion of cybercrime, are advancements in cybercrime investigation techniques, like those employed by Digital Forensics offering cyber security services. 

A Short History of Cybercrime

France claims the first cyber crime, all the way back in 1834 when hackers got into the French telegraph system and stole financial market information. However, it really took off during the 20th century and continues to grow and evolve as the internet and our online lives change and thrive. 

As of 2020, billions of dollars have been lost due to cybercrime. As technology continues to evolve, so does the sophistication of cybercrime techniques. In response, investigation measures must also evolve to keep pace. Keep reading to find out about how investigators are doing their best to control crime online.

Here is a historical look into some of the most prominent cyber attacks:

1962 – The MIT database was hacked.

1971 – the first computer virus was created. 

1981 – Ian Murphy was the first person convicted of a cybercrime. 

1988 – Robert Morris carried out the first major cyberattack.

1989 – the appearance of Ransomware. 

1994 – a password sniffer was used for the first time.

1995 – the first hacker tried to rob a bank.

1998 – the U.S. government was hacked for the first time. 

1999 – the Melissa virus struck.

2000 – DDoS attacks took down several major retailers. 

2000 – the ILOVEYOU virus attacked. 

2005 – HSBC experienced a security breach, affecting 180,000 customers. 

2008 – The data of 134 million users was compromised when Heartland Payment systems were hacked. 

2010 – the first digital weapon Stuxnet worm attacked nuclear plants in Iran.

2010 – the Zeus virus struck.

2010 – Operation Aurora was launched by the Chinese.

2011 – the Sony Corporation was hacked. 

2013 – Edward Snowden released sensitive government information from several countries. 

2013 – Target Corporation was the victim of a phishing attack

2013 – Adobe users’ credit card information was released online due to being hacked. 

2014 – Celebgate occurs. 

2015 – SamSam ransomware appeared. 

2015 – Ashley Madison database hacked and released. 

2017 – WannaCry affected more than 200,000 Windows devices.

2017 – Facebook and Google employees were tricked into wiring hundreds of millions of dollars to hackers. 

2018 – GitHub saw traffic of 1.3 terabytes per second in a DDoS attack.

2018 – Coinhive crypto-jacking attack.

2018 – Marriot Hotels suffered a breach affecting personal data of 500 million guests

2019 – Capital One suffered the largest data breach in history. 

2020 – High profile X (Twitter) user accounts included in phishing attack.

2022 – The Government of Costa Rica called a state of emergency after attack by the Conti Ransomware Gang.

2023 – The ongoing MOVEit cyber attack has affected 2000+ organizations and exposed the data of 60 million people.

2024: Ticketmaster suffers data breach via Snowflake vulnerability.

2024 – Hackers steal call logs and text messages belonging to all AT&T customers.

Advanced Cybercrime Investigation Technology

As cybercrime evolves, so too does the practice of counteracting and investigating it. That includes a wide range of crimes, from online blackmail to online sextortion to data theft and much more. With a number of techniques available, there are multiple ways to address the issue.

Memory Forensics

This method involves analyzing RAM to find details like open network connections, running processes, and encryption keys. This allows for an in-depth investigation of cyber crimes while also offering a view of what a system looks like in real-time during a cyber attack. 

Blockchain Forensics

Criminals use this to commit crimes dealing with cryptocurrency with the response being blockchain technology that traces online transactions so they can be analyzed for malicious activity. Tracking the flow of funds is useful for investigating crimes taking place on the dark web, as well as those that involve ransomware.

Cloud Forensics

Cloud forensics emerged as a way to investigate and track data that is stored in the cloud. Experts can collect, analyze, and preserve relevant evidence when they are investigating online crime scenes. 

Artificial Intelligence and Machine Learning

Both Artificial Intelligence (AI) and Machine Learning (ML) can be used to go through the infinite amounts of data that can be found online. This is especially helpful for analyzing data as it relates to cybercrime investigations. They can detect anomalies, recognize patterns, and flag potential threats, freeing investigators up for tasks that must be completed by humans. 

Threat Intelligence

Integrating threat intelligence techniques into cybercrime investigation is useful for identifying and responding to threats. By being aware of threats as they evolve, as well as attack patterns, experts can shore up their defences and reduce the risk of a cyberattack. 

Summary

Cybercriminals are also using the same tools used to combat cybercrime. For that reason, continued work on improving investigative techniques, as well as staying aware of cybercrime activity offers protection, though nothing is fail-safe, so being cautious online is always important. 

Ref:https://hackread.com/the-evolution-of-cybercrime-investigations/

AT&T confirms a data breach exposing call and text records for “Nearly All” customers from May 2022 to October 2022. Investigations are underway and 1 arrest has already been made.

While users try to make sense of the Ticketmaster data breach, AT&T has revealed a massive breach. The data breach which occurred earlier this year impacted millions of AT&T customers, allowing hackers to access the call and text message information of around 109 million customers.

The breach, detected on April 19, 2024, exposed call and text message information, affecting “Nearly All” cellular, mobile virtual network operators, and landline customers. AT&T has over 109 million customers in the United States.

As per AT&T’s Form 8-k filing, the stolen data included call and text records of all AT&T mobile clients, customers of mobile virtual network operators, and landline customers who interacted with the numbers between May 1 to October 31, 2022, and January 2, 2023. Hackers gained access to telephone numbers, interactions, aggregate call duration, and cell site identification numbers. 

Data Breach Linked to Snowflake Flaw

AT&T has confirmed to Hackread.com that data was stolen from its Snowflake account in a wave of data theft attacks between April 14 and April 25, 2024, using compromised credentials.

For your information, Snowflake is a cloud-based database provider that allows customers to perform data warehousing and analytics on large volumes of data. The recent Snowflake vulnerability concerns revolve around a series of identity-based cyberattacks targeting Snowflake’s customer accounts, rather than a direct breach of Snowflake’s systems.

Since April 2024, there has been an increase in unauthorized access attempts using stolen credentials from various unrelated cyber incidents including the following:

• Twilio
• Ticketmaster
• Neiman Marcus
• Truist Bank Data
• The Los Angeles Unified School District (LAUSD)

and 100s of others…

What information was exposed?

• Duration of the calls
• Dates of the calls or texts
• Phone numbers involved in the calls or texts

What information was not exposed?

• Names
• Addresses
• Call/text timestamps
• Content of calls/texts
• Social Security numbers

This means while the breach is significant, hackers did not steal any sensitive information but they can correlate metadata to reveal identities.

1 Arrested

AT&T is working with law enforcement to investigate the data breach and apprehend those responsible, while one individual has already been arrested. The company has not yet provided any information on how the breach occurred.

However, it has implemented additional cybersecurity measures to prevent unauthorized access attempts and will notify affected customers soon. There is no evidence of the accessed data being publicly available.

AT&T was granted permission twice by the US Department of Justice to delay public notification of the data breach due to potential national security and public safety risks, which is the first such exception. The FBI and AT&T collaborated during the delay process to boost investigative equities and support AT&T’s incident response work.

“On May 9, 2024, and again on June 5, 2024, the U.S. Department of Justice determined that, under Item 1.05(c) of Form 8-K, a delay in providing public disclosure was warranted. AT&T is now timely filing this report. AT&T is working with law enforcement in its efforts to arrest those involved in the incident. Based on information available to AT&T, it understands that at least one person has been apprehended. As of the date of this filing, AT&T does not believe that the data is publicly available. “AT&T

Jim Routh, Chief Trust Officer at cybersecurity company Saviynt commented on the AT&T data breach emphasising on overhalling the third-party data storage ecosystem. “Though the data breach did not include customer credential information, it is another example of the need for enterprises to invest in redesigning third-party governance models specific to credential management.“

Jason Soroko, Senior Vice President of Product at Sectigo, a Scottsdale, Arizona-based provider of comprehensive certificate lifecycle management (CLM), also commented urging Snowflake customers to implement multi-factor authentication (MFA) to protect their accounts from cyber attacks.

“Companies using Snowflake should immediately implement multi-factor authentication (MFA) to enhance security and protect sensitive data as MFA provides an additional layer of defence against unauthorized access, significantly reducing the risk of breaches,“ explained Jason. “This is true, not just for Snowflake, but anyone using a third-party service via an authenticated session, that authentication needs to be using a credential stronger than just username and password,“ he advised.

Nevertheless, this is not the first time that AT&T has been hit by a data breach. In August 2021, hackers sold an AT&T database containing 70 Social Security Numbers (SSNs) on a cybercrime forum. In April 2024, AT&T confirmed a massive data breach impacting a staggering 73 million (73,481,539) current and former customers when hackers leaked the trove of data on Breach Forums.

The company has also been criticized for its billing practices, with some customers accusing it of adding unauthorized charges to their bills. The latest data breach is likely to further erode trust in AT&T.

Ref:https://hackread.com/att-data-breach-hackers-steal-call-text-records/