Cyber Victor – a leading blog on cyber security

The hacking group AgainstTheWest recently published a post on the Breach Forums message board, claiming to have hacked TikTok and stolen source code and user data. The group published screenshots of an alleged stolen data, it claims to have had access to an Alibaba cloud instance containing data for both TikTok and WeChat users. The group claims to hold 2.05 billion records in a massive 790GB database containing user data, platform statistics, software code, cookies, auth tokens, server info, and more.

TikTok has told Bleeping Computer that the claims of the company being hacked are false: “This is an incorrect claim — our security team investigated this statement and determined that the code in question is completely unrelated to TikTok’s backend source code, which has never been merged with WeChat data.” TikTok further said: “We have confirmed that the data samples in question are all publicly accessible and are not due to any compromise of TikTok systems, networks, or databases. We do not believe users need to take any proactive actions, and we remain committed to the safety and security of our global community.”

Popular data breach hunter Bob Diachenko and his team analyzed the publicly exposed data and confirmed its authenticity, and noted that the data’s source was Hangzhou Julun Network Technology Co., Ltd and not TikTok.

Troy Hunt, a regional director at Microsoft and the creator of the Have I Been Pwned tool, called the hackers’ data “inconclusive,” but added that “it could be non-production or test data” that likely wasn’t taken through a data breach.

This is so far pretty inconclusive; some data matches production info, albeit publicly accessible info. Some data is junk, but it could be non-production or test data. It's a bit of a mixed bag so far.

— Troy Hunt (@troyhunt) September 5, 2022

Read more about it here.

Google announced it has fended off the largest ever HTTPS-based Distributed Denial of Service (DDoS) attack, which peaked at 46 million requests per second. According to Google, the DDoS attack was quickly detected and stopped at the edge of Google’s network, and the customer that was attacked was not impacted.

On June 1, 2022, starting 9:45 AM PDT, a Google Cloud Armor customer was targeted with a series of HTTPS DDoS attacks which peaked at 46 million requests per second. To give a sense of the scale of the attack, that is like receiving all the daily requests to Wikipedia (one of the top 10 trafficked websites in the world) in just 10 seconds.

Cloud Armor Adaptive Protection was able to detect and analyze the traffic early in the attack lifecycle. Cloud Armor alerted the customer with a recommended protective rule which was then deployed before the attack ramped up to its full magnitude. Cloud Armor blocked the attack ensuring the customer’s service stayed online and continued serving their end-users.

“There were 5,256 source IPs from 132 countries contributing to the attack. Approximately 22% (1,169) of the source IPs corresponded to Tor exit nodes.”

The attack lasted 69 minutes, ending at 10:54 AM PDT.

Read more about it here.

Attackers abused open redirects on the websites of Snapchat and American Express in a series of phishing attacks to steal Microsoft 365, Fedex and Docusign credentials.

Open redirect occurs when a website provides a URL which direct to another URL, and it fails to validate user input, allowing attackers to redirect victims to malicious sites. Victims will trust the link, because the first domain name in the manipulated link is a trusted domain, such as American Express or Snapchat. An example of such URL is https://safe.com/redirect?url=https://malicious.com.

“The trusted domain (e.g., American Express, Snapchat) acts as a temporary landing page before the surfer is redirected to a malicious site.” says a post published in August 2022 by Inky.

During a two-and-a-half-month period, INKY engineers detected the snapchat[.]com open redirect vulnerability in 6,812 phishing emails originating from various hijacked accounts.

Open Bug Bounty reported the Snapchat vulnerability to the company on Aug. 4, 2021. However, it remains unpatched.

American Express quickly fixed the issue in late July 2022.

When examining links, surfers should keep an eye out for URLs that include, for example, “url=”, “redirect=”, “external-link”, or “proxy”. These strings might indicate that a trusted domain could redirect to another site.

Web sites owners should allow redirects to go only back to their web site.

Read more about it here.

The US Federal Communications Commission (FCC) warned Americans of the rising threat of robotext (smishing) attacks.

“Substantial increases in consumer complaints to the FCC, reports by non-government robocall and robotext blocking services, and anecdotal and news reporting make it clear that text messages are increasingly being used by scammers to target American consumers”, reads the alert.

Scam text message senders want you to engage with them. Like robocallers, a robotexter may use fear and anxiety to get you to interact. Texts may include false-but-believable claims about unpaid bills, package delivery snafus, bank account problems, or law enforcement actions against you.

Some scammers may be after your money, but others may simply be trying to collect personal information or confirm that a number is active for use in future scams. Do not respond or click on any links in the message

Some independent reports estimate billions of robotexts each month.

What should you do to protect Yourself:

• Do not respond to suspicious texts, even if the message requests that you “text STOP” to end messages.
• Do not click on any links.
• Do not provide any information via text or website.
• File a complaint.
• Forward unwanted texts to SPAM (7726).
• Delete all suspicious texts.
• Update your smart device OS and security apps.
• Consider installing anti-malware software.
• Review companies’ policies regarding opting out of text alerts and selling/sharing your information.
• Review text blocking tools in your mobile phone settings, available third-party apps, and your mobile phone carrier’s offerings.

Read more about it here.

Social media site Twitter has suffered a data breach of over 5.4 million accounts, that are now for sale on a hacking forum. The hacker, who goes by the alias ‘devil’, claimed in a post on Breach Forums that the dataset stolen includes email addresses and phone numbers from “Celebrities, to Companies, randoms, OGs, etc.” ‘OGs’ refers to Twitter handles that are desirable – either short, or a desirable word.

Back in January 1, 2022, a report was made on HackerOne of a vulnerability that allows an attacker to acquire the phone number and the email address associated with Twitter accounts, even if the user has hidden these fields in their privacy settings.

“The vulnerability allows any party without any authentication to obtain a twitter ID(which is almost equal to getting the username of an account) of any user by submitting a phone number/email even though the user has prohibited this action in the privacy settings. The bug exists due to the process of authorization used in the Android Client of Twitter, specifically in the process of checking the duplication of a Twitter account.” reads the description in the report submitted by zhirinovskiy.

“This is a serious threat, as people can not only find users who have restricted the ability to be found by email/phone number, but any attacker with a basic knowledge of scripting/coding can enumerate a big chunk of the Twitter user base unavaliable to enumeration prior (create a database with phone/email to username connections). Such bases can be sold to malicious parties for advertising purposes, or for the purposes of tageting celebrities in different malicious activities.”

Five days after posting the report, Twitter acknowledged this to be a “valid security issue”. After further investigating the issue Twitter fixed the vulnerability, and awarded user zhirinovskiy with a $5,040 bounty.

A threat actor is now selling the data that was acquired from this vulnerability for at least $30,000. It is being offered on Breached Forums, the same forum that posted 23 terabytes of data leaked from 1 billion Chinese Citizens.

Read more about it here.

The Marriott International hotel chain has confirmed that it has been hit by yet another data breach.

The data breach took place at one location, the BWI Airport Marriott near Baltimore. Marriott said that it is directly contacting the 300 to 400 guests that had credit card information exposed. The threat actor used social engineering to trick one hotel employee at this single Marriott hotel into providing access to their computer. The threat actor claimed to have tried to extort the hotel chain but according to Marriott, no money was paid. In total 20GB of data were leaked.

In 2018, Marriott revealed that it had been hit by an enormous database breach that affected 500 million of its guests. The data breach lasted 4 years. In another dat a breach in 2020, Marriott exposed the personal information of 5.2 million guests.

Read more about it here.

Unknown threat actors claimed to have obtained data of one billion Chinese residents, after breaching a database of the Shanghai police. If that is true, this data breach is the largest one in the country’s history.

The anonymous internet user, identified as “ChinaDan”, posted on hacker forum Breach Forums last week, offering to sell the more than 23 terabytes (TB) of data for 10 bitcoin, equivalent to about $200,000. The data includes names, addresses, birthplaces, national IDs, phone numbers and criminal case information.

Zhao Changpeng, founder and CEO of cryptocurrency exchange Binance, tweeted last Monday that the company had detected the breach of a billion resident records “from one Asian country,” without specifying which, and had since stepped up its verification process for potentially affected users.

Our threat intelligence detected 1 billion resident records for sell in the dark web, including name, address, national id, mobile, police and medical records from one asian country. Likely due to a bug in an Elastic Search deployment by a gov agency. This has impact on …

— CZ 🔶 Binance (@cz_binance) July 3, 2022

Shanghai authorities have not publicly responded to the purported data breach.

Read more about it here.

According to a recent research report by MarketsandMarkets, the global Cybersecurity insurance market size is projected to grow from $11.9 billion in 2022 to $29.2 billion by 2027.

Cybercrime insurance protects organizations from financial losses relating to damage to, or loss of, information from networks and IT systems. This includes reputation loss, the cost of business interruption, infringement of regulatory data standards (such as GDPR or CCPA), and attacks from bad actors (e.g., ransomware, data breaches, etc.), depending on the coverage taken.

By organization size, the small and medium enterprise segment is expected to have the highest growth rate during the forecast period.

Asia Pacific is expected to have the highest growth rate during the forecast period.

Read more about it here.

Shadowserver Foundation analysts discovered over 3.6 million MySQL servers publicly exposed on the Internet and responding to queries, making them attractive targets. The report identifies accessible MySQL server instances on port TCP/3306. “This includes both TLS and non-TLS responses. We do not perform any intrusive checks to discover the level of access to any databases that is possible.” says the report. “Surprisingly to us, we found around 2.3M IPv4 addresses responding with such a greeting to our queries. Even more surprisingly, we found over 1.3M IPv6 devices responding as well.”

Most accessible IPv4 MySQL servers by country are as follows: United States (740.1K), China (296.3K), Poland (207.8K) and Germany (174.9K).

Most accessible IPv6 MySQL servers by country are as follows: United States (460.8K), Netherlands (296.3K), Singapore (218.2K) and Germany (173.7K).

The researchers pointed database administrators to the MySQL has a MySQL 5.7 Secure Deployment Guide and MySQL 8.0 Secure Deployment Guide. They added: “It is unlikely that you need to have your MySQL server allowing for external connections from the Internet (and thus a possible external attack surface). If you do receive a report on your network/constituency take action to filter out traffic to your MySQL instance and make sure to implement authentication on the server.”

Read more about it here.

Rahul Sasi, who is the founder and CEO of CloudSEK, a contextual AI business that predicts cyber threats, recently posted the following post on LinkedIn. According to him, it starts with the hacker calling the victim and convincing them to call a specific number, which looks like either **67*<10 digit number> or *405*<10 digit number>. Both numbers trigger call forwarding, which redirects a phone call to another number. Call forwarding is available on most, if not of all, phone carrier’s systems globally and is supported by most modern mobile phones.

**67*<10 digit number> will forward all your calls to the 10 digit number.

*405*<10 digit number> will forward calls, if your number is busy, to the 10 digit number.

The 10-digit number is always a phone number controlled by the hacker.

While the victim is calling one of the numbers, the hacker starts the WhatsApp registration process for the victim’s phone number, and chooses the option to deliver One Time Password (OTP) through phone call. Because of the activated call forwarding, the OTP will travel to the hacker’s phone.

How to mitigate:

• Ignore calls from unknown numbers.
• Don’t make calls to unknown numbers.
• Secure your WhatsApp account with Two-step verification.

Read more about it here.