Threat actors breached the Dropbox Sign production environment and accessed customer email addresses and hashed passwords

Cloud storage provider DropBox revealed that threat actors have breached the production infrastructure of the DropBox Sign eSignature service and gained access to customer information and authentication data.

Dropbox Sign is a service that allows users to electronically sign and request signatures on documents. It integrates with Dropbox storage, so users can sign and store documents in one place without ever leaving the Dropbox platform.

The company detected unauthorized access to the Dropbox Sign production environment on April 24th and immediately launched an internal investigation. Investigations revealed that a threat actor gained access to data, including customer information like emails, usernames, phone numbers, and hashed passwords. Additionally, certain account settings and authentication information such as API keys, OAuth tokens, and multi-factor authentication details were compromised.

“On April 24th, we became aware of unauthorized access to the Dropbox Sign (formerly HelloSign) production environment. Upon further investigation, we discovered that a threat actor had accessed data including Dropbox Sign customer information such as emails, usernames, phone numbers and hashed passwords, in addition to general account settings and certain authentication information such as API keys, OAuth tokens, and multi-factor authentication.” reads the advisory published by the company.

The company reported this incident to data protection regulators and law enforcement.

The attackers compromised a service account within Sign’s back-end, which is a non-human account utilized for executing applications and automated services. This compromised account had privileges to perform various actions within Sign’s production environment. Then the threat actor used this access to access the customer database.

The company noted that users who utilized the eSignature platform without registering an account also had their email addresses and names exposed. The company added that the attackers did not access users’ documents or agreements and did not compromise other DropBox services.

In response to the security breach, the company’s security team reset users’ passwords, logged users out of any devices they had connected to Dropbox Sign, and is rotating all API keys and OAuth tokens.

“If you’re an API customer, to ensure the security of your account, you’ll need to rotate your API key by generating a new one, configuring it with your application, and deleting your current one. As an additional precaution, we’ll be restricting certain functionality of API keys while we coordinate rotation. Only signature requests and signing capabilities will continue to be operational for your business continuity. Once you rotate your API keys, restrictions will be removed and the product will continue to function as normal. Here is how you can easily create a new key.” continues the advisory. “Customers who use an authenticator app for multi-factor authentication should reset it. Please delete your existing entry and then reset it. If you use SMS you do not need to take any action.”

The company urges customers to change their password on any other services where they used the same password as their Dropbox Sign account, and also recommends enabling multi-factor authentication wherever possible.

DropBox is notifying all impacted customers.

In November 2022, Dropbox announced that threat actors gained unauthorized access to 130 of its source code repositories on GitHub. According to the advisory published by Dropbox, the company was the target of a phishing campaign that resulted in access to the GitHub repositories. The investigation revealed that the code accessed by the attackers contained some credentials, primarily, API keys, used by the development team.

The company pointed out that no one’s content, passwords, or payment information were accessed, it also remarked that the issue was quickly resolved.

Dropbox uses CircleCI for select internal deployments, and in early October, a phishing campaign targeted multiple Dropboxers using messages impersonating CircleCI.

“While our systems automatically quarantined some of these emails, others landed in Dropboxers’ inboxes. These legitimate-looking emails directed employees to visit a fake CircleCI login page, enter their GitHub username and password, and then use their hardware authentication key to pass a One Time Password (OTP) to the malicious site.” reads the advisory published by the company. “This eventually succeeded, giving the threat actor access to one of our GitHub organizations where they proceeded to copy 130 of our code repositories.”

The repositories included internal copies of third-party libraries slightly modified for use by Dropbox, internal prototypes, and some tools and configuration files used by the security team of the file hosting service.

Exposed data included a few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, CISA)

CISA adds GitLab Community and Enterprise Editions improper access control vulnerability to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a GitLab Community and Enterprise Editions improper access control vulnerability to its Known Exploited Vulnerabilities (KEV) catalog.

The issue, tracked as CVE-2023-7028 (CVSS score: 10.0), is an account takeover via Password Reset. The flaw can be exploited to hijack an account without any interaction.

“An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.” reads the advisory published by GitLab.

The flaw impacts the following versions:

• 16.1 prior to 16.1.5
• 16.2 prior to 16.2.8
• 16.3 prior to 16.3.6
• 16.4 prior to 16.4.4
• 16.5 prior to 16.5.6
• 16.6 prior to 16.6.4
• 16.7 prior to 16.7.2

GitLab addressed the flaw with the releases 16.7.2, 16.5.6, and 16.6.4. The company backported security patches to 16.1.6, 16.2.9, and 16.3.7.

Self-managed customers are recommended to review their logs to check for possible attempts to exploit this vulnerability:

• Check gitlab-rails/production_json.log for HTTP requests to the /users/password path with params.value.email consisting of a JSON array with multiple email addresses.
• Check gitlab-rails/audit_json.log for entries with meta.caller.id of PasswordsController#create and target_details consisting of a JSON array with multiple email addresses.

Researchers from ShadowServer still report thousands of instances exposed online that are vulnerable to this flaw, most of them in the US, Germany and Russia.

According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts recommend also private organizations review the Catalog and address the vulnerabilities in their infrastructure.

CISA orders federal agencies to fix this vulnerability by May 22, 2024.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, CISA)

Panda Restaurant Group disclosed a data breach that occurred in March, resulting in the theft of associates’ personal information.

Panda Restaurant Group disclosed a data breach that occurred in March, resulting in the theft of personal information belonging to its associates.

Panda Restaurant Group, Inc. is the parent company of Panda Inn, Panda Express and Hibachi-San. Panda Express is the largest Asian-American restaurant chain in the United States, with 2,200 branches and over $3 billion in sales.

Panda Express has approximately 47,000 associates in its branches.

The company discovered the security breach on March 10, 2024, the attack impacted some corporate systems. The incident did not impact the company’s in-store systems, operations or guest experience.

Panda Restaurant Group took immediate action to respond to the incident by securing its infrastructure and investigate the scope of the security breach with the help of third-party cybersecurity specialists.

“After a thorough investigation, we determined that certain information maintained on our corporate systems was accessed by the unauthorized actor between March 7-11, 2024. With the support of third-party experts, we then began a thorough review of the data affected to identify the specific information and individuals impacted.” reads the Breach Notification sent to the impacted individuals. “On April 15, we concluded our review of impacted data and determined that your personal information was involved.”

Exposed information included associates’ first and last names, and other personal identifiers in combination with Driver’s License Number or Non-Driver Identification Card Number. The company has no evidence of misuse of information involved in this incident.

Panda Restaurant is offering impacted individuals a complimentary <<12/24>>-month membership of CyEx’s Identity Defense Total – 3 Bureau credit monitoring and identity protection services.

The company also recommends individuals to stay vigilant for identity theft and fraud by routinely checking their credit reports and account statements for any signs of suspicious activity or errors.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Panda Restaurant Group)

A former U.S. NSA employee has been sentenced to nearly 22 years in prison for attempting to sell classified documents to Russia.

Jareh Sebastian Dalke (32), of Colorado Springs, is a former employee of the U.S. National Security Agency (NSA) who has been sentenced to nearly 22 years (262 months) in prison for attempting to transmit classified National Defense Information (NDI) to Russia.

Dalke pleaded guilty to six counts of attempting to transmit classified documents to a foreign agent while he was working at the NSA. The man served as an Information Systems Security Designer between June 6 to July 1, 2022, this job position gave him access to sensitive information.

He shared excerpts of three classified documents, classified as Top Secret//Sensitive Compartmented Information (SCI), with an individual he believed to be a Russian agent, who was actually an FBI online covert employee. These attempts occurred between August and September 2022, using an encrypted email account to demonstrate his willingness to share sensitive information.

Dalke demanded $85,000 in return for sharing all the classified information, he was aware of the importance of the documents for the Kremlin. He also told the undercover agent that he would share more files upon his return to Washington, D.C.

Dalke arranged to transfer additional classified information to a purported Russian agent at Union Station in downtown Denver. The former NSA employee used a laptop and followed the instructions provided by his contact. Four of the transferred files contained Top Secret National Defense Information (NDI). One file was a letter expressing Dalke’s eagerness to provide information and expressing anticipation of mutual benefit.

Dalke was arrested by the FBI on September 28, shortly after he transmitted the files. The former NSA employee revealed he leaked the classified documents to injure the United States and to benefit Russia.

“This defendant, who had sworn an oath to defend our country, believed he was selling classified national security information to a Russian agent, when in fact, he was outing himself to the FBI,” said Attorney General Merrick B. Garland. “This sentence demonstrates that that those who seek to betray our country will be held accountable for their crimes. I am grateful to the FBI Denver and Washington Field Offices for their extraordinary work on this case.”

“This sentence should serve as a stark warning to all those entrusted with protecting national defense information that there are consequences to betraying that trust,” said FBI Director Christopher Wray. “Dalke believed he was passing classified information to an agent of the Russian government. The hard work of our FBI employees prevented that from happening and any potential harm to the United States.”

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, NSA)

A new malware named Cuttlefish targets enterprise-grade and small office/home office (SOHO) routers to harvest public cloud authentication data.

Researchers at Lumen’s Black Lotus Labs discovered a new malware family, named Cuttlefish, which targets enterprise-grade and small office/home office (SOHO) routers to harvest public cloud authentication data from internet traffic.

The malware creates a proxy or VPN tunnel on the compromised router to exfiltrate data, and then uses stolen credentials to access targeted resources. 

Cuttlefish has a modular structure, it was designed to primarily steal authentication data from web requests passing through the router from the local area network (LAN). The malicious code can also perform DNS and HTTP hijacking within private IP spaces. Additionally, it can interact with other devices on the LAN and transfer data or deploy new agents. The researchers observed similarities in code and build paths with a previously reported malware called HiatusRat, linked to China. Although there’s code overlap, no shared victimology has been observed, suggesting that these malware families operate concurrently.

“The Cuttlefish malware offers a zero-click approach to capturing data from users and devices behind the targeted network’s edge. Any data sent across network equipment infiltrated by this malware, is potentially exposed.” reads the Lumen’s Black Lotus researchers. “What makes this malware family so insidious is the ability to perform HTTP and DNS hijacking for connections to private IP addresses. Cuttlefish lies in wait, passively sniffing packets, acting only when triggered by a predefined ruleset.”

The malware has been active since at least July 27, 2023, with indications of earlier versions. The recent campaign spanned from October 2023 to April 2024. The experts noticed that the infection chain was distinct, with 99% of infections originating in Turkey, primarily from two major telecommunications providers. These providers comprised around 93% of infections, totaling 600 unique IP addresses. Other non-Turkish victims included IP addresses likely belonging to clients of global satellite phone providers and a potential US-based data center.

The researchers have yet to determine the initial access vector, however, they believe threat actors could have exploited known vulnerabilities or carried out brute-forcing credentials. Upon gaining access to the routers, the attackers deploy a bash script that gathers certain host-based data to send to the C2. The bash script also downloads and executes Cuttlefish.

The binary analyzed by the researchers is compiled for all major architectures used by SOHO operating systems. 

The malware passively monitors network packets for “credential markers,” including usernames, passwords, and authentication tokens. Cuttlefish primarily targets public cloud-based services such as Alicloud, AWS, Digital Ocean, CloudFlare, and BitBucket.

The Black Lotus Labs report highlights that targeted services are used for storing sensitive data. This approach enables threat actors to potentially copy data from cloud resources lacking the logging or controls commonly present in traditional network perimeters.

The malware store the stolen data in the log, then when the log file of filtered traffic reaches a specified size, Cuttlefish compresses it using gzip and uploads it to the C2 server using a computed uuid and a predefined value of “tid”.

Cuttlefish redirects DNS requests for private IP addresses to a specified DNS server and manipulates HTTP requests to reroute traffic to an infrastructure under the control of its operators using HTTP 302 error codes. This capability suggests that Cuttlefish can hijack internal or site-to-site traffic, enabling access to secured resources not exposed on the Internet.

“Cuttlefish represents the latest evolution in passive eavesdropping malware for edge networking equipment, allowing an actor to adapt and overcome the TLS configurations adopted by more modern enterprises.” concludes the report. “We also believe these innovations are the next generation in malware capabilities; the ability to eavesdrop and perform DNS and HTTP hijacking has seldom been observed – the few publicly identified campaigns include ZuoRat, VPNFilter, Attor, and Plead. However, this is the first instance where we have seen rules specifically designed to seek out private IP connections to hijack.”

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, malware)

A flaw in the R programming language enables the execution of arbitrary code when parsing specially crafted RDS and RDX files.

A vulnerability, tracked as CVE-2024-27322 (CVSS v3: 8.8), in the R programming language could allow arbitrary code execution upon deserializing specially crafted R Data Serialization (RDS) or R package files (RDX).

R is an open-source programming language widely used for statistical computing and graphics. It was initially developed by Ross Ihaka and Robert Gentleman at the University of Auckland, New Zealand, in the early 1990s. Since then, it has gained popularity among statisticians and data miners for its powerful features and extensive libraries for data manipulation, visualization, and statistical analysis.

The R programming language has also become increasingly popular in the AI/ML field because it allows to manage large datasets.

The vulnerability was reported by researchers at HiddenLayer, the experts pointed out that the attack vector is very effective because RDS files or R packages are often shared between developers and data scientists.

“Our team discovered that it is possible to craft a malicious RDS file that will execute arbitrary code when loaded and referenced. This vulnerability, assigned CVE-2024-27322, involves the use of promise objects and lazy evaluation in R.” reads the analysis published by HiddenLayer.

The R programming language has its serialization format, used for serializing objects with ‘saveRDS’ and deserializing them with ‘readRDS’. This format is also utilized when saving and loading R packages.

The vulnerability ties how R handles serialization (‘saveRDS’) and deserialization (‘readRDS’) and involves the use of promise objects and lazy evaluation in R.

“Lazy evaluation is a strategy that allows for symbols to be evaluated only when needed, i.e., when they are accessed.” continues the analysis. “The above is achieved by creating a promise object that has both a symbol and an expression attached to it. Once the symbol ‘y’ is accessed, the expression assigning the value of ‘x’ to ‘y’ is run. The key here is that ‘y’ is not assigned the value 1 because ‘y’ is not assigned to ‘x’ until it is accessed. While we were not successful in gaining code execution within the deserialization code itself, we thought that since we could create all of the needed objects, it might be possible to create a promise that would be evaluated once someone tried to use whatever had been deserialized.”

Attackers can put promise objects containing arbitrary code in the metadata of an RDS file in the form of expressions that will be evaluated during deserialization leading to the execution of the embedded code.

Possible attack scenarios see threat actors tricking victims into executing malicious files or distributing a malware-laced package through widely used repositories and waiting victims download them.

“Given the widespread usage of R and the readRDS function, the implications of this are far-reaching. Having followed our responsible disclosure process, we have worked closely with the team at R who have worked quickly to patch this vulnerability within the most recent release – R v4.4.0. In addition, HiddenLayer’s AISec Platform will provide additional protection from this vulnerability in its Q2 product release.” concludes the report.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, R programming language)

The China-linked threat actors Muddling Meerkat are manipulating DNS to probe networks globally since 2019.

Infoblox researchers observed China-linked threat actors Muddling Meerkat using sophisticated DNS activities since 2019 to bypass traditional security measures and probe networks worldwide.

The experts noticed a spike in activity observed in September 2023.

The threat actors appear to have the capability to control China’s Great Firewall and were observed utilizing a novel technique involving fake DNS MX records.

Attackers used “super-aged” domains, usually registered before the year 2000, to avoid DNS blocklists and blending in with old malware at the same time

The attackers manipulate MX (Mail Exchange) records by injecting fake responses through China’s Great Firewall. However, the Infoblox researchers have yet to discover the motivation behind the attacks.

“The GFW can be described as an “operator on the side,” meaning that it does not alter DNS responses directly but injects its own answers, entering into a race condition with any response from the original intended destination. When the GFW response is received by the requester first, it can poison their DNS cache.” reads the analysis published by Infoblox. “The GFW creates a lot of noise and misleading data that can hinder investigations into anomalous behavior in DNS. I have personally gone hunting down numerous trails only to conclude: oh, it’s just the GFW.”

The experts noticed that a cluster of activities linked to a threat actor tracked as “ExploderBot” included most demonstrably damaging DNS DDoS attacks, ceased in May 2018. However, low-volume attacks resembling Slow Drip DDoS attacks have persisted since then. These attacks involve queries for random subdomains of target domains, propagated through open resolvers. Despite their lower volumes, these attacks share similar behavioral patterns to DNS DDoS attacks.

Muddling Meerkat’s operations also used MX record queries for random subdomains of target domains, rather than the base domain itself. This scenario is unusual as it typically occurs when a user intends to send email to a subdomain, which is not common in normal DNS activity. The researchers noticed that many of the target domains lack functional mail servers, making these queries even more mysterious.

“The data we have suggests that the operations are performed in independent “stages;” some include MX queries for target domains, and others include a broader set of queries for random subdomains. The DNS event data containing MX records from the GFW often occurs on separate dates from those where we see MX queries at open resolvers.” concludes the report. “Because the domain names are the same across the stages and the queries are consistent across domain names, both over a multi-year period, these stages surely must be related, but we did not draw a conclusion about how they are related or why the actor would use such staged approaches.”

The report also includes indicators of compromise (IoCs) recommendations to neutralize these activities..

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, DNS)

Finnish hacker was sentenced to more than six years in prison for hacking into an online psychotherapy clinic and attempted extortion.

A popular 26-year-old Finnish hacker Aleksanteri Kivimäki was sentenced to more than six years in prison for hacking into the online psychotherapy clinic Vastaamo Psychotherapy Center, exposing tens of thousands of patient therapy records, and trying to extort the clinic and its clients.

The man was arrested near Paris on February 2023, where he was living under a false identity. Kivimäki was deported to Finland and his trial concluded in March 2024.

In October 2020, the Vastaamo Psychotherapy Center was the victim of an extortion attempt. Threat actors hacked the clinic and stole a database containing information of some 33,000 clients. A threat actor that goes online with moniker “ransom_man” demanded 40 bitcoin (approximately 450,000 euros at the time) to avoid leaking sensitive therapy information stolen for the clinic, which refused to pay.

“Ransom_man announced on the dark web that he would start publishing 100 patient profiles every 24 hours. When Vastaamo declined to pay, ransom_man shifted to extorting individual patients. According to Finnish police, some 22,000 victims reported extortion attempts targeting them personally, targeted emails that threatened to publish their therapy notes online unless paid a 500 euro ransom.” reads the post published by Brian Krebs. “Finnish prosecutors quickly zeroed in on a suspect: Julius “Zeekill” Kivimäki, a notorious criminal hacker convicted of committing tens of thousands of cybercrimes before he became an adult. After being charged with the attack in October 2022, Kivimäki fled the country. He was arrested four months later in France, hiding out under an assumed name and passport.”

The hacker demanded a ransom of 200 euros or 500 euros to each patient, and about 20 clients paid it.

The man was found guilty of several offenses, which included aggravated data breach, 21,000 counts of aggravated blackmail attempts, and 9,200 counts of aggravated dissemination.

Kivimäki denied all charges and may appeal, according to his lawyer. Prosecutors aimed for the maximum sentence of seven years, given the nature of the crimes.

Kivimäki was involved in multiple criminal cases in the past, he was a member of the hacker group Hack the Planet (HTP).

Kivimäki is also known as a member of the notorious hacker group Lizard Squad.

In 2013, investigators discovered malicious code on devices seized from Kivimäki, which was used by HTP to compromise over 60,000 servers exploiting an Adobe ColdFusion zero-day. This exploit was reported by Brian Krebs in September 2013, after the hackers breached the servers of LexisNexis, Kroll, and Dun & Bradstreet.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Finnish Hacker)

The US government’s cybersecurity agency CISA published a series of guidelines to protect critical infrastructure against AI-based attacks.

CISA collaborated with Sector Risk Management Agencies (SRMAs) and regulatory agencies to conduct sector-specific assessments of AI risks to U.S. critical infrastructure, as mandated by Executive Order 14110 Section 4.3(a)(i). The analysis categorized AI risks into three categories:

• Attacks Using AI;
• Attacks Targeting AI Systems;
• Failures in AI Design and Implementation.

AI risk management for critical infrastructure is an ongoing process throughout the AI lifecycle.

These guidelines integrate the AI Risk Management Framework into enterprise risk management programs for critical infrastructure. The AI RMF Core consists of the Govern, Map, Measure, and Manage functions.

The Govern function within the AI RMF establishes an organizational approach to AI Risk Management within existing Enterprise Risk Management (ERM). Recommended actions for addressing risks throughout the AI lifecycle are integrated into the Map, Measure, and Manage functions. These guidelines improve AI safety and security risk management practices proposed by the NIST AI RMF.

CISA highlights that the risks are context-dependent, this implies that critical infrastructure operators should consider sector-specific and context-specific factors when assessing and mitigating AI risks. Specific sectors may need to define their own tailored guidelines for managing AI risk. Stakeholders may focus on different aspects of the AI lifecycle depending on their sector or role, whether they are involved in the design, development, procurement, deployment, operation, management, maintenance, or retirement of AI systems.

“Critical infrastructure owners and operators can foster a culture of risk management by aligning AI safety and security priorities with their own organizational principles and strategic priorities. This organizational approach follows a “secure by design” philosophy where leaders prioritize and take ownership of safety and security outcomes and build organizational structures that make security a top priority.” read the guidelines.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, CISA)

The UK National Cyber Security Centre (NCSC) orders smart device manufacturers to ban default passwords starting from April 29, 2024.

The U.K. National Cyber Security Centre (NCSC) is urging manufacturers of smart devices to comply with new legislation that bans default passwords.

The law, known as the Product Security and Telecommunications Infrastructure act (or PSTI act), will be effective on April 29, 2024.

“From 29 April 2024, manufacturers of consumer ‘smart’ devices must comply with new UK law.” reads the announcement published by NCSC. “The law, known as the Product Security and Telecommunications Infrastructure act (or PSTI act), will help consumers to choose smart devices that have been designed to provide ongoing protection against cyber attacks.”

The U.K. is the first country in the world to ban default credentia from IoT devices.

The law prohibits manufacturers from supplying devices with default passwords, which are easily accessible online and can be shared.

The law applies to the following products:

• Smart speakers, smart TVs, and streaming devices
• Smart doorbells, baby monitors, and security cameras
• Cellular tablets, smartphones, and game consoles
• Wearable fitness trackers (including smart watches)
• Smart domestic appliances (such as light bulbs, plugs, kettles, thermostats, ovens, fridges, cleaners, and washing machines)

Threat actors could use them to access a local network or launch cyber attacks.

Manufacturers are obliged to designate a contact point for reporting security issues and must specify the minimum duration for which the device will receive crucial security updates.

The NCSC clarified that the PSTI act also applies to organizations importing or retailing products for the UK market, including most smart devices manufactured outside the UK. Manufacturers that don’t comply with the act will be punished with fines of up to £10 million or 4% of qualifying worldwide revenue.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, smart device manufacturers)

The Federal Communications Commission (FCC) fined the largest U.S. wireless carriers $200 million for sharing customers’ real-time location data without consent.

The FCC has fined four major U.S. wireless carriers nearly $200 million for unlawfully selling access to real-time location data of their customers without consent. The fines come as a result of the Notices of Apparent Liability (NAL) issued by the FCC against AT&T, Sprint, T-Mobile, and Verizon in February 2020.

T-Mobile is facing a proposed fine exceeding $91 million, while AT&T is looking at one over $57 million. Verizon, on the other hand, faces a proposed fine exceeding $48 million, and Sprint faces a proposed fine of more than $12 million due to the actions taken by the FCC.

“The Federal Communications Commission today proposed fines against the nation’s four largest wireless carriers for apparently selling access to their customers’ location information without taking reasonable measures to protect against unauthorized access to that information.” reads the announcement published by FCC. “As a result, T-Mobile faces a proposed fine of more than $91 million; AT&T faces a proposed fine of more than $57 million; Verizon faces a proposed fine of more than $48 million; and Sprint faces a proposed fine of more than $12 million. The FCC also admonished these carriers for apparently disclosing their customers’ location information, without their authorization, to a third party.”

The FCC’s Enforcement Bureau launched an investigation after Missouri Sheriff Cory Hutcheson misused a “location-finding service” provided by Securus, a communications service provider for correctional facilities, to access the location data of wireless carrier customers without their consent from 2014 to 2017. Hutcheson allegedly provided irrelevant documents, such as health insurance and auto insurance policies, along with pages from sheriff training manuals, as evidence of authorization to access the data.

FCC added that the carriers continued to sell access to the customers’ location information and did not sufficiently guard it from further unauthorized access even after discovering irregular procedures.

All four carriers condemned the FCC’s decision and announced they would appeal it.

The Communications Act mandates that telecommunications carriers safeguard the confidentiality of specific customer data, including location information, about telecommunications services. Carriers must adopt reasonable measures to prevent unauthorized access to customer data. Furthermore, carriers or their representatives must typically secure explicit consent from customers before utilizing, disclosing, or permitting access to such data. Carriers bear responsibility for the actions of their representatives in this regard.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Federal Communications Commission)

Google announced they have prevented 2.28 million policy-violating apps from being published in the official Google Play.

Google announced that in 2023, they have prevented 2.28 million policy-violating apps from being published on Google Play. This amazing result was possible thanks to the introduction of enhanced security features, policy updates, and advanced machine learning and app review processes.

Additionally, Google Play strengthened its developer onboarding and review procedures, requesting a more accurate identification during account setup. These efforts resulted in the ban of 333,000 accounts for confirmed malware and repeated severe policy breaches.

Google also rejected or remediated approximately 200K app submissions to ensure proper use of sensitive permissions such as background location or SMS access. Google has closely worked with SDK providers to protect users’ privacy and prevent sensitive data access and sharing. Over 31 SDKs have enhanced their posture impacting 790K+ apps.

“We also significantly expanded the Google Play SDK Index, which now covers the SDKs used in almost 6 million apps across the Android ecosystem.” states Google. “This valuable resource helps developers make better SDK choices, boosts app quality and minimizes integration risks.”

Google continues to work on improving the Android environment. In November, 2023, it moved the App Defense Alliance (ADA) under the umbrella of the Linux Foundation, with Meta, Microsoft, and Google as founding steering members. The Alliance encourages widespread adoption of best practices and guidelines for app security across the industry, while also developing countermeasures to address emerging security threats.

Google enhanced Google Play Protect’s security capabilities to provide stronger protection for users installing apps from outside the Play Store. The company implemented real-time scanning at the code-level to detect new malicious apps. The company revealed that this measure has already identified over 5 million new malicious apps outside of the Play Store, enhancing Android users’ global security.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, Google Play)